On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:
When generating hashed data for "HTTP Basic" login auth protection, using bcrypt as the hash algorithm, one can vary the resultant hash strength by varying specify bcrypt's $cost, e.g.
For site login usage, does *client* login time vary at all with the hash $cost?
Other than the initial, one-time hash generation, is there any login-performance reason NOT to use the highest hash $cost?
With Basic HTTP authentication, hashing happens on every user request. That is, with high costs you are likely make your site completely unusable.
(And no, it does not look like an appropriate question for the nginx-devel@ list. Consider using nginx@ instead.)