RFC: bcrypt hashing cost factor
The hashing cost factor is currently set to just 1. This is a bad idea for security: the salted hash can likely be cracked using commodity hardware with only a single round.
It seems the general recommendation is to decide the optimal cost factor based on practical computation time. We should probably do this, but we also want to account for the following:
- for testing we just want it to be fast - so when
process.env.NODE_ENV === 'test'
the cost factor should be 1 - we want good, well reasoned security by default
- we want to allow the user to configure the number of rounds for their own app
We could do something like this:
const testing = process.env.NODE_ENV === 'test'
const bcryptrounds = testing ? 1 : CONFIG['pubsweet-backend']['bcrypt-rounds'] || DEFAULT_BCRYPT_ROUNDS
thoughts?