Skip to content

Add config for bcrypt cost, default to 12 instead of 8.#5084

Open
AndrolGenhald wants to merge 1 commit intoadvplyr:masterfrom
AndrolGenhald:bcrypt-cost-config
Open

Add config for bcrypt cost, default to 12 instead of 8.#5084
AndrolGenhald wants to merge 1 commit intoadvplyr:masterfrom
AndrolGenhald:bcrypt-cost-config

Conversation

@AndrolGenhald
Copy link
Copy Markdown

@AndrolGenhald AndrolGenhald commented Feb 25, 2026

Brief summary

Allow configuring bcrypt cost, default to 12 instead of 8.

In-depth Description

The recommended cost for bcrypt these days is usually 12, with 10 being the recommendation from over a decade ago. This PR adds an environment variable BCRYPT_COST to configure the bcrypt cost, with a minimum of 8.

I was unable to find any source for the documentation here, so that will need to be updated separately. I recommend updating it with:

  • BCRYPT_COST (default: 12)
    • This influences the time it takes to hash passwords when logging in; increasing by 1 doubles how long it takes.
    • It is recommended to leave it at the default, or, if it takes too long to log in, decrease it by 1 until logging in takes less than half a second (note that each user's first login after changing will take extra long to re-hash using the new cost).

How have you tested this?

Created several users, logged in after changing bcrypt cost, changed passwords after changing bcrypt cost again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AndrolGenhald