Insufficient Bcrypt Rounds

Medium+100 XPA07:2021 Identification and Authentication FailuresCWE-916

Password HashingbcryptCost Factor

Scenario

A developer configured bcrypt with a cost factor (rounds) of 4 to speed up tests. That setting was never changed for production.

bcrypt with 4 rounds completes in under 1 millisecond. An attacker with a leaked database can run billions of guesses per second.

OWASP recommends a minimum bcrypt cost factor of 10; NIST recommends tuning until hashing takes at least 300 ms on your hardware — commonly rounds 12+.

The cost factor is bcrypt's defence against brute-force. Developers often lower it during development for speed, then forget to raise it. A cost factor of 4 provides essentially no protection on modern hardware.

Your Tasks

Fix validateHashConfig to throw 'Insufficient rounds' when config.rounds is less than 12.
Throw 'Unsupported algorithm' if config.algorithm is not one of bcrypt, argon2, or scrypt.
Return the config object unchanged when it is valid.

Examples

Example 1 — Too few rounds — throws

validateHashConfig({ algorithm: 'bcrypt', rounds: 4 })
// → throws Error('Insufficient rounds')

Example 2 — Valid config — passes

validateHashConfig({ algorithm: 'bcrypt', rounds: 12 })
// → { algorithm: 'bcrypt', rounds: 12 }

Constraints

›Throw exactly 'Insufficient rounds' for low round counts.
›Throw exactly 'Unsupported algorithm' for unknown algorithms.
›Minimum safe rounds value is 12.

Hint

References

CWE-916: Use of Password Hash With Insufficient Computational Effort OWASP Password Storage Cheat Sheet NIST SP 800-63B Section 5.1.1.2

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run