If you were using a hashed password, did the hash begin with $2b$08? If you must expose anything with a password, then at least hash it with a higher cost. You could probably use 15 or higher on your setup, if you don't mind being slowed down ever so slightly when logging in. The built-in node-red admin hash-pw seems to only use 8 rounds, which is a little too low for modern hardware. Hashing the password yourself and using a higher cost won't stop the brute force, but it might slow the baddies and give you a little time to notice the attempt to gain access.
1 Like
