Update password hash docs, add more validation on password hash

user/types.go

@@ -249,7 +249,8 @@ var (
 	ErrInvalidArgument        = errors.New("invalid argument")
 	ErrUserNotFound           = errors.New("user not found")
 	ErrUserExists             = errors.New("user already exists")
-	ErrPasswordHashInvalid    = errors.New("password hash but be a bcrypt hash, use 'ntfy user hash' to generate")
+	ErrPasswordHashInvalid    = errors.New("password hash must be a bcrypt hash, use 'ntfy user hash' to generate")
+	ErrPasswordHashWeak       = errors.New("password hash too weak, use 'ntfy user hash' to generate")
 	ErrTierNotFound           = errors.New("tier not found")
 	ErrTokenNotFound          = errors.New("token not found")
 	ErrPhoneNumberNotFound    = errors.New("phone number not found")

user/util.go

@@ -45,6 +45,12 @@ func ValidPasswordHash(hash string) error {
 	if !strings.HasPrefix(hash, "$2a$") && !strings.HasPrefix(hash, "$2b$") && !strings.HasPrefix(hash, "$2y$") {
 		return ErrPasswordHashInvalid
 	}
+	cost, err := bcrypt.Cost([]byte(hash))
+	if err != nil {
+		return err
+	} else if cost < DefaultUserPasswordBcryptCost {
+		return ErrPasswordHashWeak
+	}
 	return nil
 }