BCrypt hashing should support migration of older costs
In the current implementation of the
BCryptHashingStrategy a password is hashed with
crypt and the hash contains the algorithm and parameters with the salt that was used to hash the password.
During validation only the salt is taken from the hashed password, so the cost parameter has to match the original cost. This is very problematic if the cost needs to be changed during the lifetime of a project. A high cost means slow logins but more securely hashed passwords.
The hashing strategy should be able to validate an existing hash with a different cost for migration of password hashes and updates to the cost parameter during the lifetime of a project (with hardware improvements the hashing will always get cheaper during time).