effect of bcrypt hash $cost on HTTP Basic authentication's login performance?

PGNet Dev pgnet.dev at gmail.com
Wed Jul 3 00:55:01 UTC 2019

 > (And no, it does not look like an appropriate question for the
 > nginx-devel@ list.  Consider using nginx@ instead.)


On 7/2/19 5:23 PM, Maxim Dounin wrote:
> On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:
>> When generating hashed data for "HTTP Basic" login auth
>> protection, using bcrypt as the hash algorithm, one can vary the
>> resultant hash strength by varying specify bcrypt's $cost, e.g.
> [...]
>> For site login usage, does *client* login time vary at all with
>> the hash $cost?
>> Other than the initial, one-time hash generation, is there any
>> login-performance reason NOT to use the highest hash $cost?
> With Basic HTTP authentication, hashing happens on every user
> request.  That is, with high costs you are likely make your site
> completely unusable.


*ARE* there authentication mechanisms available that do NOT hash on 
every request?  Perhaps via some mode of secure caching?

AND, that still maintain a high algorithmic cost to prevent breach 
attemtps, or at least maximize their efforts?

More information about the nginx mailing list