Basic auth is slow

Maxim Dounin mdounin at mdounin.ru
Mon Nov 30 13:12:10 UTC 2015


Hello!

On Sat, Nov 28, 2015 at 06:18:54PM +0100, Joó Ádám wrote:

> Hi,
> 
> I just noticed that enabling basic authentication adds between 100 and
> 150 ms to my otherwise 30-40 ms page load time. Is this known
> behaviour? Is this somehow inherent or a design / implementation
> mistake?

Basic authentication checks user password on each request.  
Depending on a password hash used for a particular user in the 
user file, it may take significant time - as password hashes 
are designed to be CPU-intensive to prevent password recovery 
attacks.  Some additional information can be found here:

https://en.wikipedia.org/wiki/Crypt_(C)

Depending on your particular setup and possible risks, you may 
consider using something less CPU-intensive as your password hash 
function if a hash calculation takes 100ms.  All crypt(3) schemes 
as supported by your system are understood by nginx, as well as 
some additional schemes for portability and debugging.  See here 
for more details:

http://nginx.org/r/auth_basic_user_file

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list