Will It Vibe logoWill It Vibe?
AUTHZ-014Medium severity-8 points

Weak bcrypt cost factor

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

bcrypt is called with a single-digit cost factor (rounds below 10), which is well under the recommended work factor and makes stolen hashes cheap to crack.

Why it matters

A single-digit bcrypt cost factor (rounds below 10) makes each hash cheap to compute, which is exactly what you do not want: a low work factor lets an attacker who steals the hashes test billions of guesses fast. The default of 10 is already modest; values like 4 or 6 offer almost no protection on modern hardware.

How to fix it

Use a bcrypt cost factor of at least 12, tuned so a single hash takes roughly a quarter second on your production hardware. Set it once as a named constant. When you raise the factor, existing users transparently upgrade by rehashing at their next successful login.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks