shaneMangudi / bcrypt-nodejs

Native implementation of bcrypt for NodeJS
Other
574 stars 69 forks source link

expected speed #29

Open vasiliyb opened 10 years ago

vasiliyb commented 10 years ago

Folks, The following function call takes roughly 80msecs to execute and return.

    var timeStart = _.now();
    bcrypt.compare(req.body.password, userObject.password, function(err, result) {
        var appTime = _.now() - timeStart;
        console.log('bcrypt compare',appTime);
        callback();
    });

console:

bcrypt compare 92

Expected behavior? I've read here http://stackoverflow.com/questions/15763086/bcrypt-for-password-hashing-because-it-is-slow , and from what I understand this isnt all that harmful to an auth service. 100msecs is OK to expect for authentication, but will make an attacker's job more difficult.

Thoughts?

Thanks!

fpirsch commented 10 years ago

Hello, the time depends on the variable cost parameter, which is human-readable in the hash as $2a${cost}${salt}{hashedpw} The computing time doubles each time you increment the cost by 1. So the answer to your question depends on your cost parameter.

vasiliyb commented 10 years ago

thanks! so probably for speed in production for user authentication, i'd want to keep that cost value (salt) down lower than the default 10 , yes?

Thanks!

fpirsch commented 10 years ago

You would have to test different values on your production environment (based on processor speed and the number of simultaneous visitors) You can also re-hash later with a higher cost when you have better hardware. You can also keep a higher cost value on the same hardware by using a faster library like twin-bcrypt (pure JS) or node.bcrypt.js (if you don't mind installing dependencies).