effect of bcrypt hash $cost on HTTP Basic authentication's login performance?
PGNet Dev
pgnet.dev at gmail.com
Wed Jul 3 00:55:01 UTC 2019
> (And no, it does not look like an appropriate question for the
> nginx-devel@ list. Consider using nginx@ instead.)
k.
On 7/2/19 5:23 PM, Maxim Dounin wrote:
> On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:
>
>> When generating hashed data for "HTTP Basic" login auth
>> protection, using bcrypt as the hash algorithm, one can vary the
>> resultant hash strength by varying specify bcrypt's $cost, e.g.
>
> [...]
>
>> For site login usage, does *client* login time vary at all with
>> the hash $cost?
>>
>> Other than the initial, one-time hash generation, is there any
>> login-performance reason NOT to use the highest hash $cost?
>
> With Basic HTTP authentication, hashing happens on every user
> request. That is, with high costs you are likely make your site
> completely unusable.
Noted.
*ARE* there authentication mechanisms available that do NOT hash on
every request? Perhaps via some mode of secure caching?
AND, that still maintain a high algorithmic cost to prevent breach
attemtps, or at least maximize their efforts?
More information about the nginx
mailing list