Incrementing Work-Factor of Hash Functions Over Time

You seem to have summed it up pretty well.

The only drawback I can think of is inactive users in your system - they will continue to have a previous work factor because they may never log in again, or may not have chance to log in before your next breach, meaning their stored password is more vulnerable to attack. As work factor is visible within the stored data, the attacker would know which ones are using the old setting (although they will not know the relative entropy within each password).

To prevent this, you could regularly disable accounts that have not been logged into for say 6 months, blanking their password at the same time. If they need to login at a future time, they can simply go through your forgotten password functionality to enable a new password to be set and stored with the new work factor.


A key point is that you have the password hashes in your database so you do not have to re-hash the password. Lets say you have hashed them (correctly, with salt ect.) N times. To double your work factor you can rehash the hashes N more times in the database. And then apply this same rehash to logins in the future. See https://crypto.stackexchange.com/questions/3003/do-i-have-to-recompute-all-hashes-if-i-change-the-work-factor-in-bcrypt and Is it possible to increase the cost of BCrypt or PBKDF2 when its already calculated and without the original password? for more details.