effect of bcrypt hash $cost on HTTP Basic authentication's login performance?
Maxim Dounin
mdounin at mdounin.ru
Wed Jul 3 00:23:25 UTC 2019
Hello!
On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:
> When generating hashed data for "HTTP Basic" login auth
> protection, using bcrypt as the hash algorithm, one can vary the
> resultant hash strength by varying specify bcrypt's $cost, e.g.
[...]
> For site login usage, does *client* login time vary at all with
> the hash $cost?
>
> Other than the initial, one-time hash generation, is there any
> login-performance reason NOT to use the highest hash $cost?
With Basic HTTP authentication, hashing happens on every user
request. That is, with high costs you are likely make your site
completely unusable.
(And no, it does not look like an appropriate question for the
nginx-devel@ list. Consider using nginx@ instead.)
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list