`bcrypt_cost: 20` cause time out when creating account.

[p3nj]

• Dendrite version or git SHA: matrixdotorg/dendrite-monolith:latest (0.5.0)
• Monolith or Polylith?: Monolith
• SQLite3 or Postgres?: Postgres split by services.
• Running in Docker?: Yes
• go version: idk, full containerized.

Description

This happens inside a environment spec list below:

• Digital Ocean AMD droplet 2C4G
• using dokku do manage all the services
• using dokku:postgres create all the databases service for dendrite services separately
• this happens when system load:

  top - 15:15:29 up 7 days, 13:34,  1 user,  load average: 0.14, 0.13, 0.16
  Tasks: 312 total,   1 running, 311 sleeping,   0 stopped,   0 zombie
  %Cpu(s):  0.7 us,  0.5 sy,  0.0 ni, 98.8 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
  MiB Mem :   3931.4 total,    299.4 free,   1241.7 used,   2390.2 buff/cache
  MiB Swap:   6144.0 total,   5086.1 free,   1057.9 used.   2133.8 avail Mem

Inside dendrite.yaml under user_api section if bcrypt_cost is set to 20, it will cause client service to timed out when using monolith docker setup. Eventually it will return CORS error but it is because bcrypt is taking too long that HTTP request would not willing to wait.

Background information

docker container logs

if you check the dendrite container log it will only shows two lines of log about making request to create account, but no error messages and nothing else.

nginx error logs

nginx error log will only shows that can not connect to upstream and time out the request.

Steps to reproduce

• set bcrypt_cost: 20 inside dendrite.yaml user_api section.
• rebuild the dendrite service or restart to load the config.
• register new account.

since the configuration file shows max bcrypt_cost is limited to 31, it will be nice if when account creation request is made, http request is willing to wait until bcrypt calculation is finished.

[kegsay]

Increasing the bcrypt cost increases the CPU time used and hence total time taken. The cost you should use will vary based on:

• The amount of security you want in the event of a database breach. Higher cost = better security
• The amount of time you're willing to wait for a user to register or login. Higher cost = slower to login
• The amount of CPU resources you have available. Higher CPU => requires higher cost to balance out the other two points.

Two cores (assuming that's the 2C in 2C4G) on a DO droplet simply is too slow for bcrypt cost this high. Lower it. For more information on this, see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#work-factors