go: weak bcrypt cost

[burntcarrot]

Description

This checker detects the usage of bcrypt.GenerateFromPassword with a cost factor less than 10. The bcrypt algorithm is designed to be computationally expensive to protect passwords against brute-force attacks. A low cost factor reduces the computational effort, making it easier for attackers to crack passwords. This checker is flagged as a security warning to ensure bcrypt is configured with a sufficiently high cost factor.

Recommendations

Use a cost factor of 10 or higher when calling bcrypt.GenerateFromPassword. OWASP recommends a cost factor of at least 10, and it should be increased as computing power grows. Adjust the cost factor based on performance testing to ensure it provides adequate security without causing unacceptable delays.

References

• OWASP Password Storage Cheat Sheet: Recommends a bcrypt cost factor of 10 or higher
• CWE-916: Use of Password Hash With Insufficient Computational Effort: Describes the risk of using password hashes that are too easy to compute.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
globstar	⬜️ Ignored (Inspect)	Visit Preview		Feb 25, 2025 4:53pm