Bcrypt, maintain work factor : What about users that doesn't login for long time

Question

I was trying to understand how to maintain the work factor for passwords hashed with bcrypt.

I find a solution there: Optimal bcrypt factor, that's essentially saying that you can re-hash on the user login.

But I don't understand how it solves the problem for the users that don't login for a long time. In this case I suppose the only solution is to send them an email saying that their account will be desactivated for security purpose?

Answer 1

A password hashed with Bcrypt is still well protected, even if you need to increase the cost factor, maybe you can just wait for the next login. If your site really needs this much security, there are two ways out of the problem, that i know of:

1) You can reset this password, and guide the user to the lost passwort page, the next time he want's to login. Of course it would be polite to explain the reason to the user.

2) You can store the cost factor and the salt of the current password-hash to the database. Then use Bcrypt to hash the already hashed password. If the user logs in the next time, you can first hash it with the stored salt/cost, afterwards you can take the result and hash it normally. If the login is successful, do not forget to update to the new cost factor.

Hope this sound a bit understandable.