effect of bcrypt hash $cost on HTTP Basic authentication's login performance?
PGNet Dev
pgnet.dev at gmail.com
Sat Jun 29 16:48:01 UTC 2019
When generating hashed data for "HTTP Basic" login auth protection, using bcrypt as the hash algorithm, one can vary the resultant hash strength by varying specify bcrypt's $cost, e.g.
php -r "echo password_hash('$my_pass', PASSWORD_BCRYPT, ['cost' => $cost]) . PHP_EOL;"
Of course, increased $cost requires increased encryption time.
E.g., on my desktop, the hash encryption times vary with cost as,
cost time
5 0m0.043s
6 0m0.055s
7 0m0.059s
8 0m0.075s
9 0m0.081s
10 0m0.110s
11 0m0.169s
12 0m0.285s
13 0m0.518s
14 0m0.785s
15 0m1.945s
16 0m3.782s
17 0m7.512s
18 0m14.973s
19 0m29.903s
20 0m59.735s
21 1m59.418s
22 3m58.792s
...
For site login usage, does *client* login time vary at all with the hash $cost?
Other than the initial, one-time hash generation, is there any login-performance reason NOT to use the highest hash $cost?
More information about the nginx-devel
mailing list