Closed adamcole123 closed 1 year ago
recrsn
commented
1 year ago Password hashes are deliberatively slow to prevent brute-forcing. This is by design.
You can reduce the rounds (default is 10) to make it faster. Remember that the minimum number of rounds is 4.
This is absolutely not recommended for a production system. The minimum rounds you should use is 10, 13 being the recommended
adamcole123
commented
1 year ago @recrsn Can you explain further? By reducing the rounds do you mean when the password is initially hashed? or is this something that is involved in the comparison process?
recrsn
commented
1 year ago Yes when the password is initially hashed. bcrypt.hash takes a rounds parameter.
Alternatively, since it's a load-test scenario, why don't you generate a password with low number of rounds and manually update the database?
However, on a real-world system, comparison is going to take 100-200ms (anything less is insecure) so you should plan accordingly.
adamcole123
commented
1 year ago Thanks for the help, will try this. Do you have any resources for guidance on 'planning accordingly'?
xgqfrms
commented
1 year ago Password hashes are deliberatively slow to prevent brute-forcing. This is by design.
You can reduce the rounds (default is 10) to make it faster. Remember that the minimum number of rounds is 4.
This is absolutely not recommended for a production system. The minimum rounds you should use is 10, 13 being the recommended
@recrsn this very helpful, but I still have a confusing question
So im trying to optimise some code for signing a user in, i have some code that checks the user's password, but for some reason it takes like 100ms to complete. This is killing my load tests as running code that takes 100ms 50 times a second slows down other operations hugely.
Here is the code (including the code i used to check the speed of it).
How can i speed this up?
bcrypt version: "bcrypt": "^5.0.1"