Weak bcrypt cost factor
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
bcrypt is called with a single-digit cost factor (rounds below 10), which is well under the recommended work factor and makes stolen hashes cheap to crack.
Why it matters
A single-digit bcrypt cost factor (rounds below 10) makes each hash cheap to compute, which is exactly what you do not want: a low work factor lets an attacker who steals the hashes test billions of guesses fast. The default of 10 is already modest; values like 4 or 6 offer almost no protection on modern hardware.
How to fix it
Use a bcrypt cost factor of at least 12, tuned so a single hash takes roughly a quarter second on your production hardware. Set it once as a named constant. When you raise the factor, existing users transparently upgrade by rehashing at their next successful login.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo