How does PHP's password_hash() BCRYPT cost factor translate into cracking computation times

Question

I am trying to fully understand the relationship between BCRYPT's COST factors and how much more time it would take a machine to crack a password with PHP 5.5's password_hash()

The encryption times I observed on an average server for password_hash() are:

COST 14 takes 1.23s to 2s
COST 13 takes 0.6 to 1s
COST 12 takes about 0.3s
COST 11 takes about 0.15s
COST 10 takes about 0.08s
COST 09 takes about 0.04s

1. Are the number of rounds linearly proportional to the time taken?

2. Is the computation time required to crack a password on the same linear scale or exponential like?

e.g. If a COST 10 hash took 1 minute to crack. How much time are we looking at with COST 14 for the same password? I assume this would vary depending on the password entropy. So let's take an average fairly weak 10 letter password such as "EasyCrack1" as basis for the reasoning.

Answer 1

As documented rather indirectly in the page for the crypt() function, the cost parameter is the base-2 logarithm of iteration count, or to put it another way, each +1 increase to cost represents a doubling of the number of iterations.

If a cost-10 hash takes one minute to crack, a cost-14 would take 2^(14-10) = 16 minutes. Cracking a cryptographic hash like bcrypt consists of guessing what the password is, hashing it, and seeing if the hashes match, so the difficulty of cracking increases proportionately with the hashing time. Just like increasing the cost by 1 doubles the hashing time, it doubles the effort involved in cracking the hash.