Sure. This is in the context of XSS attacks
Consider something like this template:
If the comment were a SCRIPT tag, with the angle brackets, that might be problematic.
What EJS does for us is convert < to < and such, so that the comment (the SCRIPT tag) won't be executed.
But if we (foolishly) put the following in our template:
Then converting the angle brackets doesn't help, because we've already told the browser to execute the user's code. Let's hope they aren't malicious!
Yes, you are right! So that means that instead of hashing your password in 0.0002 seconds, it might take 2 seconds: 10,000 times longer.
Can you wait 2 seconds to login? Sure; you probably wouldn't even notice.
Of course, we can push this too far. Increase the work factor a bit more and people won't want to wait 20 seconds to login.
But we don't need things to be that slow. Just forcing them to take 1 second to try a password means that to try a million passwords takes 31 years, which is more than secure enough.
Then two different strings are valid passwords for an account. In this case, that's fine. There are some cryptographic situations in which this would be bad, but not here.
This is just like "joining" in the first place. The user has to supply a new password, which is hashed and replaced the old one.
Of course, there are practical issues, like whether this person should be allowed to reset this password. So we email them a special link (under the assumption that the bad guys haven't hacked their email account) that allows them to reset their password.
No, for the reasons mentioned in the reading: (1) salt means re-used passwords are secure on other platforms and (2) the bad guys can't precompute passwords.
But you're right that salt is less important.
Bcrypt still uses salt, so we'll assume they know what they are doing.