Closed rix0rrr closed 3 years ago
Hi @rix0rrr !
This can definitely give some oxygen to the Heroku box. While I'd rather use the default load factor and I think we'll have to get multiple cores sooner than later, it could be worth to do this in the meantime.
If I understand correctly, the implementation would require:
@fpereiro Yes those are exactly the steps that are needed Happy if you can take this up!
@Felienne will do!
We have
bcrypt
at the default work factor of 12, which is a bit steep for our single-core Heroku box.Right now, any bcrypt hash operation takes about ~
300
ms:Keeping in mind that the box has only a single processor and so can only do one thing at a time, 3 logins/signups/password resets/any bcrypt operation will block anyone else from submitting a program to the web server or doing anything else for a full second [0]. This is already leading to noticeable load and latency spikes on the metrics dashboard.
Yes, we could spring for more cores, but we're on a bit of a budget and would like to stretch our single-core machine as far as it'll go.
We should reduce the work factor of the
bcrypt
operations to something more reasonable, like 9:This is going to require some code to check the load factor of a user's existing salt and regenerate, re-hash and re-store their password if their current salt does not match our current desired work factor.