WT-13041: increase BCrypt default complexity

Increase the default number of iteration of BCryptHashFunction to 12. This is above the minimum of 10 iterations recommended by ASVS.
emweb · Nov 5, 2024 · 8301cfc · 8301cfc
1 parent d2ed29f
commit 8301cfc
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/src/Wt/Auth/HashFunction.C b/src/Wt/Auth/HashFunction.C
@@ -9,6 +9,7 @@
 
 #include "Wt/Utils.h"
 #include "Wt/WException.h"
+#include "Wt/WLogger.h"
 
 #ifndef WT_TARGET_JAVA
 // for htonl():
@@ -31,6 +32,7 @@ extern "C" {
 #endif
 
 namespace Wt {
+  LOGGER("Auth.HashFunction");
   namespace Auth {
 
 HashFunction::~HashFunction()
@@ -86,7 +88,11 @@ std::string SHA1HashFunction::name() const
 
 BCryptHashFunction::BCryptHashFunction(int count)
   : count_(count)
-{ }
+{
+  if (count_ < 10) {
+    LOG_WARN("ASVS recommends using BCrypt with at least 10 iterations.");
+  }
+}
 
 std::string BCryptHashFunction::compute(const std::string& msg,
                                         const std::string& salt) const

diff --git a/src/Wt/Auth/HashFunction.h b/src/Wt/Auth/HashFunction.h
@@ -141,8 +141,13 @@ class WT_API BCryptHashFunction final : public HashFunction
    * stored in the computed hash.
    *
    * The value of \p count needs to be 0, or in the range 4-31.
+   * 
+   * By default \p count has a value of 12.
+   * 
+   * \note <a href="https://owasp.org/www-project-application-security-verification-standard/" target="_blank">
+   *       ASVS</a> recommends using BCrypt with at least 10 iterations.
    */
-  BCryptHashFunction(int count = 0);
+  BCryptHashFunction(int count = 12);
 
   /*! \brief Returns the name for this hash function.
    *