Open vasiliyb opened 10 years ago
Hello, the time depends on the variable cost parameter, which is human-readable in the hash as $2a${cost}${salt}{hashedpw} The computing time doubles each time you increment the cost by 1. So the answer to your question depends on your cost parameter.
thanks! so probably for speed in production for user authentication, i'd want to keep that cost value (salt) down lower than the default 10 , yes?
Thanks!
You would have to test different values on your production environment (based on processor speed and the number of simultaneous visitors) You can also re-hash later with a higher cost when you have better hardware. You can also keep a higher cost value on the same hardware by using a faster library like twin-bcrypt (pure JS) or node.bcrypt.js (if you don't mind installing dependencies).
Folks, The following function call takes roughly 80msecs to execute and return.
console:
Expected behavior? I've read here http://stackoverflow.com/questions/15763086/bcrypt-for-password-hashing-because-it-is-slow , and from what I understand this isnt all that harmful to an auth service. 100msecs is OK to expect for authentication, but will make an attacker's job more difficult.
Thoughts?
Thanks!