From 18cbde410b06c251552cdf8b61062ee51736a583 Mon Sep 17 00:00:00 2001 From: Ngô Ngọc Đức Huy Date: Sun, 23 Oct 2022 22:27:22 +0700 Subject: Add bcrypt hashing time measurement --- content/posts/2022-10-23-bcrypt-hashing-time.md | 89 +++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 content/posts/2022-10-23-bcrypt-hashing-time.md (limited to 'content/posts') diff --git a/content/posts/2022-10-23-bcrypt-hashing-time.md b/content/posts/2022-10-23-bcrypt-hashing-time.md new file mode 100644 index 0000000..c9957b6 --- /dev/null +++ b/content/posts/2022-10-23-bcrypt-hashing-time.md @@ -0,0 +1,89 @@ +--- +title: "Bcrypt hashing time" +date: 2022-10-23 +lang: en +categories: [ blog ] +tags: [miscellaneous, bcrypt, hashing, measurement] +translationKey: "2022-10-23-bcrypt-hashing-time" +--- + +## Measurements + +This is mere some measurements I make notes for myself, nothing interesting to +see here. + +I am implementing some authentication, so I was thinking how much cost should I +use. The way to determine is to measure how long it takes to hash the +password. + +Here is the hardware I use: + +- CPU: 11th Gen Intel i5-11400 (12) @ 4.400GHz +- GPU: Intel RocketLake-S GT1 [UHD Graphics 730] +- Memory: PNY 8GB + +I hash 3 different types of password: + +- short password: silly simple one, `short password` +- medium password: 20-character random password: `h*uwd'QS0Xozxg5j//+e` +- long password: a passphrase of 20 words: `helium policy snort overtone shakable poison corporate curve` + +Here is the source code, consider it public domain or under [CC0 license][cc0] +if you want to use or copy it. + +[cc0]: https://creativecommons.org/publicdomain/zero/1.0/legalcode + +```go +package main +import ( + "fmt" + "time" + "golang.org/x/crypto/bcrypt" +) + +func main() { + short := "short pass" + medium := "h*uwd'QS0Xozxg5j//+e" + long := "helium policy snort overtone shakable poison corporate curve" + passwords := []string{short, medium, long} + for cost := 10; cost <= 20; cost++ { + fmt.Printf("Cost=%d\t", cost) + for _, password := range passwords { + start := time.Now() + bcrypt.GenerateFromPassword([]byte(password), cost) + elapsed := time.Since(start) + fmt.Printf("%s\t", elapsed) + } + fmt.Println("") + } +} +``` + +## Result + +| Cost | short password | medium password | long password | +|------|----------------|-----------------|---------------| +| 10 | 48.672298ms | 48.202171ms | 48.294102ms | +| 11 | 96.106021ms | 96.47686ms | 96.032581ms | +| 12 | 193.138147ms | 192.942441ms | 193.234901ms | +| 13 | 385.703415ms | 385.518335ms | 385.230291ms | +| 14 | 774.508302ms | 777.079681ms | 775.36359ms | +| 15 | 1.546692701s | 1.545946171s | 1.565475155s | +| 16 | 3.092266749s | 3.092314898s | 3.124079405s | +| 17 | 6.19333026s | 6.177802493s | 6.195031959s | +| 18 | 12.396592375s | 12.384743249s | 12.407640266s | +| 19 | 24.824486642s | 24.793569567s | 24.870305097s | +| 20 | 50.026644158s | 49.712950076s | 49.596850425s | + +## Comments + +- Hashing time is not dependent on password length (sometimes it can take + slightly less time to hash longer password?). If I recall correctly, + shorter passwords are padded to required length anyways, so of course there + isn't much difference. +- Time increases exponentially, as it is supposed to be +- Comparing this with [auth0's measurement][auth0-bcrypt], this takes slightly + less time. It could be due to either hardware improvement or implementation + (Auth0 use JavaScript) + +[auth0-bcrypt]: https://auth0.com/blog/hashing-in-action-understanding-bcrypt/#-bcrypt--Best-Practices -- cgit 1.4.1