I had to hash my password, for that i used bcrypt. By following a tutorial, i found this code :
const saltRounds = 10;
bcrypt.hash(password, saltRounds).then(hashedPassword => {
//...
}
I googled what is saltRound
and what's its propos, till i found here
What are Salt Rounds and how are Salts stored in Bcrypt? that you can control the time it takes to hash your passwords.
Does this mean you can control the strength of crypted passwords with just one property saltRounds
?
Yes, more work for bcrypt does indeed increase password security. The whole purpose of increasing work factors is to provide that increase.
Higher bcrypt work factors improve password security at the individual user level, because it's harder to crack each user's hash individually (if the attacker is interested in just one specific account). No hash / factors will protect an extremely weak password, but stronger hashing has a better chance of extending protection "downward" through a weaker / intermediate range of password strengths.
Stronger work factors also increase password security at the aggregate security level (for the entire target user set). This is because higher bcrypt work factors make attacking the entire set at once materially harder - especially as the number of users grows. The more compute / cores / memory are required, the more expensive (in time and resources) it is for the attacker.
The trade-off, of course, is that more work for the attacker (harder to crack) also means more work for the defender / maintainer (higher resource cost for valid authentications). It's important to tune your work factor to be the highest that both you and your users can tolerate, including worst-case scenarios like an "authentication storm" (where all of your users need to re-authenticate simultaneously). A bcrypt cost of 12, and a target per-user delay of .5 seconds, is often a good balance of these factors - but you need to assess (and test!) this for your own use case.
Bonus advice: make sure that your library and supporting code can support multiple costs simultaneously. As hardware gets faster, you'll want to increase your work factor for new/reset passwords, while simultaneously supporting existing ones. Fortunately, most libraries handle this transparently - but again, test for your own use case.