diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index f26ea4822e0664e21a89e6337348877d79abffce..93c570f1b991a9fbc930c55bc370cc8e3bef0e1e 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -46,7 +46,8 @@ email = require('./email.js'),
 bcrypt = require('bcrypt'),
 crypto = require('crypto'),
 logger = require('../../libs/logging.js').logger,
-ca = require('./ca.js');
+ca = require('./ca.js'),
+BCRYPT_WORK_FACTOR = 12;
 
 function checkParams(params) {
   return function(req, resp, next) {
@@ -141,7 +142,7 @@ function setup(app) {
     }
 
     // bcrypt the password
-    bcrypt.gen_salt(10, function (err, salt) {
+    bcrypt.gen_salt(BCRYPT_WORK_FACTOR, function (err, salt) {
       if (err) {
         winston.error("error generating salt with bcrypt: " + err);
         return resp.json(false);
@@ -247,6 +248,9 @@ function setup(app) {
         if (success) {
           if (!req.session) req.session = {};
           req.session.authenticatedUser = req.body.email;
+
+          // if the work factor has changed, update the hash here
+          
         }
         resp.json(success);
       });