bcrypt

[Maxim Dounin]

Hello!

On Fri, Jun 23, 2017 at 09:37:27PM +0000, Lukas Tribus wrote:

> > One of the bcrypt scheme main properties is that it allows to 
> > control number of rounds, and thus control hashing speed.  With 
> > low number of rounds it is reasonably fast.  For example, with 2^5 
> > rounds (default used by htpasswd) it takes about 4 milliseconds 
> > here on a test box:
> 
> Just trying to wrap my head around this: if we have 100 request per
> second of this, we block the event loop for 400 milliseconds every
> 1000 milliseconds, is that a correct understanding?

Not really.  It means that you block the event loop for 4 milliseconds 
100 times per second.  Or: you are able to handle no more than 250 
requests per second on a single core / using a single nginx worker 
process.

This may or may not be ok for a particular use case, but it's 
certanly comparable to phk's md5-based scheme numbers (aka "$1$", 
aka "$apr1$": 1.5 milliseconds per request), and much faster than 
sha256 / sha512 crypt schemes (24 and 75 milliseconds respectively 
with the default number of rounds).

-- 
Maxim Dounin
http://nginx.org/