diff --git a/apps/emqx_authn/src/emqx_authn_password_hashing.erl b/apps/emqx_authn/src/emqx_authn_password_hashing.erl
index 4954cd66e..66bc6bfc6 100644
--- a/apps/emqx_authn/src/emqx_authn_password_hashing.erl
+++ b/apps/emqx_authn/src/emqx_authn_password_hashing.erl
@@ -63,6 +63,9 @@
     check_password/4
 ]).
 
+-define(SALT_ROUNDS_MIN, 5).
+-define(SALT_ROUNDS_MAX, 10).
+
 namespace() -> "authn-hash".
 roots() -> [pbkdf2, bcrypt, bcrypt_rw, simple].
 
@@ -71,11 +74,12 @@ fields(bcrypt_rw) ->
         [
             {salt_rounds,
                 sc(
-                    integer(),
+                    range(?SALT_ROUNDS_MIN, ?SALT_ROUNDS_MAX),
                     #{
-                        default => 10,
-                        example => 10,
-                        desc => "Salt rounds for BCRYPT password generation."
+                        default => ?SALT_ROUNDS_MAX,
+                        example => ?SALT_ROUNDS_MAX,
+                        desc => "Work factor for BCRYPT password generation.",
+                        converter => fun salt_rounds_converter/2
                     }
                 )}
         ];
@@ -106,6 +110,13 @@ fields(simple) ->
         {salt_position, fun salt_position/1}
     ].
 
+salt_rounds_converter(undefined, _) ->
+    undefined;
+salt_rounds_converter(I, _) when is_integer(I) ->
+    emqx_utils:clamp(I, ?SALT_ROUNDS_MIN, ?SALT_ROUNDS_MAX);
+salt_rounds_converter(X, _) ->
+    X.
+
 desc(bcrypt_rw) ->
     "Settings for bcrypt password hashing algorithm (for DB backends with write capability).";
 desc(bcrypt) ->
diff --git a/changes/ce/feat-11487.en.md b/changes/ce/feat-11487.en.md
new file mode 100644
index 000000000..352a11c06
--- /dev/null
+++ b/changes/ce/feat-11487.en.md
@@ -0,0 +1,2 @@
+The bcrypt work factor is limited to the range 5-10, because higher values consume too much CPU resources.
+Bcrypt library is updated to allow parallel hash evaluation.
diff --git a/mix.exs b/mix.exs
index bc8d93f4b..225f1753b 100644
--- a/mix.exs
+++ b/mix.exs
@@ -815,7 +815,7 @@ defmodule EMQXUmbrella.MixProject do
 
   defp bcrypt_dep() do
     if enable_bcrypt?(),
-      do: [{:bcrypt, github: "emqx/erlang-bcrypt", tag: "0.6.0", override: true}],
+      do: [{:bcrypt, github: "emqx/erlang-bcrypt", tag: "0.6.1", override: true}],
       else: []
   end
 
diff --git a/rebar.config.erl b/rebar.config.erl
index ad6f425a0..6e1c64a40 100644
--- a/rebar.config.erl
+++ b/rebar.config.erl
@@ -36,7 +36,7 @@ assert_otp() ->
     end.
 
 bcrypt() ->
-    {bcrypt, {git, "https://github.com/emqx/erlang-bcrypt.git", {tag, "0.6.0"}}}.
+    {bcrypt, {git, "https://github.com/emqx/erlang-bcrypt.git", {tag, "0.6.1"}}}.
 
 quicer() ->
     {quicer, {git, "https://github.com/emqx/quic.git", {tag, "0.0.114"}}}.