Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase bcrypt rounds #480

Open
chrisshiplet opened this issue Jul 9, 2020 · 0 comments
Open

Increase bcrypt rounds #480

chrisshiplet opened this issue Jul 9, 2020 · 0 comments
Labels
enhancement Modification to an existing feature

Comments

@chrisshiplet
Copy link
Contributor

chrisshiplet commented Jul 9, 2020
edited
Loading

Currently we use the node bcrypt library's default count of 2^10 rounds. On modern hardware this results in a hash that takes ~50ms to compute. For most apps, we should be targeting 250-1000ms. This issue seeks to:

  • Increase the default count to a sane value, maybe 2^12 (we should target whatever amount of clock time we decide)
  • To accommodate existing installations, when the user logs in, we should re-hash it with the new count. We can use the hash itself to determine the count for a given password, and make sure we are comparing them correctly in the login flow
  • We might want to offer this as an env var, in case we have a project that demands tighter security in the future

As part of this issue we may want to evaluate bcryptjs, and eliminate a native compiled dependency.
@bobeagan bobeagan added the enhancement Modification to an existing feature label Jul 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Modification to an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bobeagan @chrisshiplet