effect of bcrypt hash $cost on HTTP Basic authentication's login performance?

PGNet Dev pgnet.dev at gmail.com
Sat Jun 29 16:48:01 UTC 2019


When generating hashed data for "HTTP Basic" login auth protection, using bcrypt as the hash algorithm, one can vary the resultant hash strength by varying specify bcrypt's $cost, e.g.

	php -r "echo password_hash('$my_pass', PASSWORD_BCRYPT, ['cost' => $cost]) . PHP_EOL;"

Of course, increased $cost requires increased encryption time.
E.g., on my desktop, the hash encryption times vary with cost as,

	cost	time
	5		0m0.043s
	6		0m0.055s
	7		0m0.059s
	8		0m0.075s
	9		0m0.081s
	10		0m0.110s
	11		0m0.169s
	12		0m0.285s
	13		0m0.518s
	14		0m0.785s
	15		0m1.945s
	16		0m3.782s
	17		0m7.512s
	18		0m14.973s
	19		0m29.903s
	20		0m59.735s
	21		1m59.418s
	22		3m58.792s
	...

For site login usage, does *client* login time vary at all with the hash $cost?

Other than the initial, one-time hash generation, is there any login-performance reason NOT to use the highest hash $cost?


More information about the nginx-devel mailing list