Using a cost factor of less than 10 for bcrypt GO-S1045

Using a more significant cost factor significantly increases the compute required to brute-force the passwords from the keys. It is recommended to use a cost factor of more than (or equal to) 10 for bcrypt. But note that there's a trade-off, a higher iteration count will increase the cost of an exhaustive search and make hashing proportionally slower.

Bad practice

package main

import (
    "golang.org/x/crypto/bcrypt"
)

func main() {
    _, _ = bcrypt.GenerateFromPassword([]byte("password"), 8)
}

Recommended

package main

import (
    "golang.org/x/crypto/bcrypt"
)

func main() {
    _, _ = bcrypt.GenerateFromPassword([]byte("password"), 10)
}

References

• OWASP A1:2021
• CWE-329