effect of bcrypt hash $cost on HTTP Basic authentication's login performance?

Maxim Dounin mdounin at mdounin.ru
Wed Jul 3 00:23:25 UTC 2019


Hello!

On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:

> When generating hashed data for "HTTP Basic" login auth 
> protection, using bcrypt as the hash algorithm, one can vary the 
> resultant hash strength by varying specify bcrypt's $cost, e.g.

[...]

> For site login usage, does *client* login time vary at all with 
> the hash $cost?
> 
> Other than the initial, one-time hash generation, is there any 
> login-performance reason NOT to use the highest hash $cost?

With Basic HTTP authentication, hashing happens on every user 
request.  That is, with high costs you are likely make your site 
completely unusable.

(And no, it does not look like an appropriate question for the 
nginx-devel@ list.  Consider using nginx@ instead.)

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list