When generating hashed data for "HTTP Basic" login auth protection, using bcrypt as the hash algorithm, one can vary the resultant hash strength by varying specify bcrypt's $cost, e.g.
php -r "echo password_hash('$my_pass', PASSWORD_BCRYPT, ['cost' => $cost]) . PHP_EOL;"
Of course, increased $cost requires increased encryption time. E.g., on my desktop, the hash encryption times vary with cost as,
cost time 5 0m0.043s 6 0m0.055s 7 0m0.059s 8 0m0.075s 9 0m0.081s 10 0m0.110s 11 0m0.169s 12 0m0.285s 13 0m0.518s 14 0m0.785s 15 0m1.945s 16 0m3.782s 17 0m7.512s 18 0m14.973s 19 0m29.903s 20 0m59.735s 21 1m59.418s 22 3m58.792s ...
For site login usage, does *client* login time vary at all with the hash $cost?
Other than the initial, one-time hash generation, is there any login-performance reason NOT to use the highest hash $cost?