Re: [PR] fix:optimize code and update dependencies [incubator-hugegraph]

Wed, 17 Dec 2025 20:29:02 -0800 


imbajin commented on code in PR #2918:
URL: 
https://github.com/apache/incubator-hugegraph/pull/2918#discussion_r2629503985


##########
hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java:
##########
@@ -140,7 +140,9 @@ public static String decompress(byte[] value, float 
bufferRatio) {
     }
 
     public static String hashPassword(String password) {
-        return BCrypt.hashpw(password, BCrypt.gensalt(4));
+        // OWASP suggests 10 as a minimum and 12โ€“14 for production;
+        // workFactor 12 is not used by default due to its 200+ ms cost.
+        return BCrypt.hashpw(password, BCrypt.gensalt(10));

Review Comment:
   **๐Ÿงน Minor: Consider using constant for work factor**
   
   The magic number `10` appears in multiple places. Consider defining a 
constant for maintainability:
   
   ```suggestion
       private static final int BCRYPT_WORK_FACTOR = 10;
       
       public static String hashPassword(String password) {
           // OWASP suggests 10 as a minimum and 12โ€“14 for production;
           // workFactor 12 is not used by default due to its 200+ ms cost.
           return BCrypt.hashpw(password, BCrypt.gensalt(BCRYPT_WORK_FACTOR));
       }
   ```
   
   This makes it easier to adjust the work factor later and ensures consistency 
across the codebase.



##########
hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java:
##########
@@ -165,7 +165,9 @@ public static String decompress(byte[] value, float 
bufferRatio) {
     }
 
     public static String hashPassword(String password) {
-        return BCrypt.hashpw(password, BCrypt.gensalt(4));
+        // OWASP suggests 10 as a minimum and 12โ€“14 for production;
+        // workFactor 12 is not used by default due to its 200+ ms cost.

Review Comment:
   **๐Ÿงน Minor: Same constant suggestion for consistency**
   
   This file should use the same constant approach as suggested for 
hugegraph-core's StringEncoding.java:
   
   ```suggestion
       private static final int BCRYPT_WORK_FACTOR = 10;
       
       public static String hashPassword(String password) {
           // OWASP suggests 10 as a minimum and 12โ€“14 for production;
           // workFactor 12 is not used by default due to its 200+ ms cost.
           return BCrypt.hashpw(password, BCrypt.gensalt(BCRYPT_WORK_FACTOR));
       }
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to