Add bcrypt hashing time measurement

1 files changed, 89 insertions, 0 deletions

diff --git a/content/posts/2022-10-23-bcrypt-hashing-time.md b/content/posts/2022-10-23-bcrypt-hashing-time.md
new file mode 100644
index 0000000..c9957b6
--- /dev/null
+++ b/content/posts/2022-10-23-bcrypt-hashing-time.md
@@ -0,0 +1,89 @@
+---
+title: "Bcrypt hashing time"
+date: 2022-10-23
+lang: en
+categories: [ blog ]
+tags: [miscellaneous, bcrypt, hashing, measurement]
+translationKey: "2022-10-23-bcrypt-hashing-time"
+---
+
+## Measurements
+
+This is mere some measurements I make notes for myself, nothing interesting to
+see here.
+
+I am implementing some authentication, so I was thinking how much cost should I
+use.  The way to determine is to measure how long it takes to hash the
+password.
+
+Here is the hardware I use:
+
+- CPU: 11th Gen Intel i5-11400 (12) @ 4.400GHz
+- GPU: Intel RocketLake-S GT1 [UHD Graphics 730]
+- Memory: PNY 8GB
+
+I hash 3 different types of password:
+
+- short password: silly simple one, `short password`
+- medium password: 20-character random password: `h*uwd'QS0Xozxg5j//+e`
+- long password: a passphrase of 20 words: `helium policy snort overtone shakable poison corporate curve`
+
+Here is the source code, consider it public domain or under [CC0 license][cc0]
+if you want to use or copy it.
+
+[cc0]: https://creativecommons.org/publicdomain/zero/1.0/legalcode
+
+```go
+package main
+import (
+	"fmt"
+	"time"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func main() {
+	short := "short pass"
+	medium := "h*uwd'QS0Xozxg5j//+e"
+	long := "helium policy snort overtone shakable poison corporate curve"
+	passwords := []string{short, medium, long}
+	for cost := 10; cost <= 20; cost++ {
+		fmt.Printf("Cost=%d\t", cost)
+		for _, password := range passwords {
+			start := time.Now()
+			bcrypt.GenerateFromPassword([]byte(password), cost)
+			elapsed := time.Since(start)
+			fmt.Printf("%s\t", elapsed)
+		}
+		fmt.Println("")
+	}
+}
+```
+
+## Result
+
+| Cost | short password | medium password | long password |
+|------|----------------|-----------------|---------------|
+| 10   | 48.672298ms    | 48.202171ms     | 48.294102ms   |
+| 11   | 96.106021ms    | 96.47686ms      | 96.032581ms   |
+| 12   | 193.138147ms   | 192.942441ms    | 193.234901ms  |
+| 13   | 385.703415ms   | 385.518335ms    | 385.230291ms  |
+| 14   | 774.508302ms   | 777.079681ms    | 775.36359ms   |
+| 15   | 1.546692701s   | 1.545946171s    | 1.565475155s  |
+| 16   | 3.092266749s   | 3.092314898s    | 3.124079405s  |
+| 17   | 6.19333026s    | 6.177802493s    | 6.195031959s  |
+| 18   | 12.396592375s  | 12.384743249s   | 12.407640266s |
+| 19   | 24.824486642s  | 24.793569567s   | 24.870305097s |
+| 20   | 50.026644158s  | 49.712950076s   | 49.596850425s |
+
+## Comments
+
+- Hashing time is not dependent on password length (sometimes it can take
+    slightly less time to hash longer password?). If I recall correctly,
+    shorter passwords are padded to required length anyways, so of course there
+    isn't much difference.
+- Time increases exponentially, as it is supposed to be
+- Comparing this with [auth0's measurement][auth0-bcrypt], this takes slightly
+    less time. It could be due to either hardware improvement or implementation
+    (Auth0 use JavaScript)
+
+[auth0-bcrypt]: https://auth0.com/blog/hashing-in-action-understanding-bcrypt/#-bcrypt--Best-Practices