hrvoje_hr Also, about passwords. How complicated for someone malicious would be to rehash passwords from the database?
Hashcat has a built in BCrypt hashing, which means that it's actually incredibly simple to do, the hard part is the hardware requirements, and knowledge of how hashcat works.
For some context, as part of security where I work I (because I'm the only IT guy) download the password hashes of all of our employees, and then bruteforce those hashes use two methods.
The first method is a wordlist, basically I have a large list of previously breached passwords, combined with sports teams, city names, popular first and last names, etc. and hashcat uses that wordlist to combine words, and try every combination of replacing letters with numbers, etc.
Using this first method, the first time we did this, I was able to breach around 15% of passwords, and it took just under 8 hours on an i7 12th Gen Laptop processor.
The second method is straight up brute force, still using hashcat, in which I was able to break an additional 4% of passwords in just under a month. But importantly again, this on my work laptop, and it hadn't even finished with 9 character passwords.
If I had a GPU rig (like the ones they use for crypto mining) I could have broken A LOT more user passwords. A recent security conference I went to had a talk on this exact subject, and the speaker suggested that using about $800 worth of hardware you can crack every password shorter than 16 characters in just under a year.
I don't want to alarm anyone, far from it, however short, weak passwords are easily breakable when an attacker can directly attack the hash, without any form of rate limiting.
For that reason, you should either use a password manager to generate random, long (20+ character) passwords, or if you are going to remember the password, use a passphrase with multiple words (preferably rarer ones), numbers, symbols, lowercase, uppercase, and if you can, native characters (in other words, if you're keyboard can enter chinese characters, use them, not ASCII). Or if the website allows it, use a Passkey (hardware token) for sign in.
Password cracking becomes exponentially harder for every character added. So if you assume a standard keyboard layout, and we assume that 27 keys can't be used (like enter, F-Row, etc.) that leaves us with 74 * 2 (because shift key) or 148. So to crack a 1 character password it takes 148 guesses, for 2 character passwords it takes 1482 guesses (21,904), etc.