Skip to content

Comments

Increase salt rounds for new passwords, and update hash with more salt rounds for old passwords#5665

Merged
christopherholland-workday merged 5 commits intomainfrom
feature/salt-round-increase
Jan 28, 2026
Merged

Increase salt rounds for new passwords, and update hash with more salt rounds for old passwords#5665
christopherholland-workday merged 5 commits intomainfrom
feature/salt-round-increase

Conversation

@christopherholland-workday
Copy link
Contributor

@christopherholland-workday christopherholland-workday commented Jan 21, 2026

Overview

Today, the application defaults to 5 salt rounds, increasing to 10 which is suggested by OWASP.

Additionally, adding a check to the login method to see if the existing has uses 10 rounds or not using the bcrypt.getRounds() method, and updating the hash if it is less than 10 rounds.

Testing Details

  1. Booted up Flowise locally and signed up (using 5 salt rounds)
  2. Made code updates to use 10 rounds, but made a temporary change to the code to throw an exception after the check (if (hashNeedsUpgrade(user.credential!, minRounds))) confirming that the check worked and determined there were insufficient salt rounds
  3. Removes the exception from the code, login succeeded and so did subsequent logins

@christopherholland-workday
Increase Default Salt Rounds from 5 to 10
4f79b4c 
Today, the application defaults to 5 salt rounds, increasing to 10 which is suggested by OWASP.
@christopherholland-workday
Increase salt rounds
3dd32cb
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request is a great security improvement. It increases the bcrypt salt rounds to the recommended value of 10 and implements a seamless upgrade path for existing users' passwords upon login. The changes are well-structured, introducing utility functions for checking and upgrading hashes. I have a few suggestions to reduce code duplication and improve maintainability, primarily around centralizing the logic for determining salt rounds and using the new getHash utility consistently.

@FlowiseAI FlowiseAI deleted a comment from gemini-code-assist bot Jan 28, 2026
@christopherholland-workday christopherholland-workday merged commit c045ceb into main Jan 28, 2026
6 checks passed
@yau-wd yau-wd deleted the feature/salt-round-increase branch January 29, 2026 06:37
vellanki-santhosh pushed a commit to vellanki-santhosh/Flowise that referenced this pull request Feb 17, 2026
@christopherholland-workday @yau-wd @vellanki-santhosh
Increase salt rounds for new passwords, and update hash with more sal…
4f77433 
…t rounds for old passwords (FlowiseAI#5665)

* Increase Default Salt Rounds from 5 to 10

Today, the application defaults to 5 salt rounds, increasing to 10 which is suggested by OWASP.

* Increase salt rounds

* feat(encryption.util.ts): add reusable getPasswordSaltRounds function

---------

Co-authored-by: yau-wd <yau.ong@workday.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yau-wd yau-wd yau-wd approved these changes

@igor-magun-wd igor-magun-wd igor-magun-wd approved these changes

@0xi4o 0xi4o Awaiting requested review from 0xi4o

@simon-song-wd simon-song-wd Awaiting requested review from simon-song-wd

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@christopherholland-workday @yau-wd @igor-magun-wd