You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently we use the node bcrypt library's default count of 2^10 rounds. On modern hardware this results in a hash that takes ~50ms to compute. For most apps, we should be targeting 250-1000ms. This issue seeks to:
Increase the default count to a sane value, maybe 2^12 (we should target whatever amount of clock time we decide)
To accommodate existing installations, when the user logs in, we should re-hash it with the new count. We can use the hash itself to determine the count for a given password, and make sure we are comparing them correctly in the login flow
We might want to offer this as an env var, in case we have a project that demands tighter security in the future
As part of this issue we may want to evaluate bcryptjs, and eliminate a native compiled dependency.
The text was updated successfully, but these errors were encountered:
Currently we use the node bcrypt library's default count of 2^10 rounds. On modern hardware this results in a hash that takes ~50ms to compute. For most apps, we should be targeting 250-1000ms. This issue seeks to:
As part of this issue we may want to evaluate
bcryptjs, and eliminate a native compiled dependency.The text was updated successfully, but these errors were encountered: