Currently a BCrypt implementation is used to store long-term client secrets for OAuth. This uses a fixed cost factor (security.encryption.loadFactor) with a fixed salt (security.passcode.salt), that can be adjusted in the configuration - but is not stored per client secret and thus not adjustable (to the best of my understanding).
I would suggest to make
- the salt random per password
- the cost dynamic, so that global changes to the cost should lead to rehashing client secrets hashed with different costs on usage.
Currently a BCrypt implementation is used to store long-term client secrets for OAuth. This uses a fixed cost factor (
security.encryption.loadFactor) with a fixed salt (security.passcode.salt), that can be adjusted in the configuration - but is not stored per client secret and thus not adjustable (to the best of my understanding).I would suggest to make