--- title: "Bcrypt hashing time" date: 2022-10-23 lang: en categories: [ blog ] tags: [miscellaneous, bcrypt, hashing, measurement] translationKey: "2022-10-23-bcrypt-hashing-time" --- ## Measurements This is mere some measurements I make notes for myself, nothing interesting to see here. I am implementing some authentication, so I was thinking how much cost should I use. The way to determine is to measure how long it takes to hash the password. Here is the hardware I use: - CPU: 11th Gen Intel i5-11400 (12) @ 4.400GHz - GPU: Intel RocketLake-S GT1 [UHD Graphics 730] - Memory: PNY 8GB I hash 3 different types of password: - short password: silly simple one, `short password` - medium password: 20-character random password: `h*uwd'QS0Xozxg5j//+e` - long password: a passphrase of 20 words: `helium policy snort overtone shakable poison corporate curve` Here is the source code, consider it public domain or under [CC0 license][cc0] if you want to use or copy it. [cc0]: https://creativecommons.org/publicdomain/zero/1.0/legalcode ```go package main import ( "fmt" "time" "golang.org/x/crypto/bcrypt" ) func main() { short := "short pass" medium := "h*uwd'QS0Xozxg5j//+e" long := "helium policy snort overtone shakable poison corporate curve" passwords := []string{short, medium, long} for cost := 10; cost <= 20; cost++ { fmt.Printf("Cost=%d\t", cost) for _, password := range passwords { start := time.Now() bcrypt.GenerateFromPassword([]byte(password), cost) elapsed := time.Since(start) fmt.Printf("%s\t", elapsed) } fmt.Println("") } } ``` ## Result | Cost | short password | medium password | long password | |------|----------------|-----------------|---------------| | 10 | 48.672298ms | 48.202171ms | 48.294102ms | | 11 | 96.106021ms | 96.47686ms | 96.032581ms | | 12 | 193.138147ms | 192.942441ms | 193.234901ms | | 13 | 385.703415ms | 385.518335ms | 385.230291ms | | 14 | 774.508302ms | 777.079681ms | 775.36359ms | | 15 | 1.546692701s | 1.545946171s | 1.565475155s | | 16 | 3.092266749s | 3.092314898s | 3.124079405s | | 17 | 6.19333026s | 6.177802493s | 6.195031959s | | 18 | 12.396592375s | 12.384743249s | 12.407640266s | | 19 | 24.824486642s | 24.793569567s | 24.870305097s | | 20 | 50.026644158s | 49.712950076s | 49.596850425s | ## Comments - Hashing time is not dependent on password length (sometimes it can take slightly less time to hash longer password?). If I recall correctly, shorter passwords are padded to required length anyways, so of course there isn't much difference. - Time increases exponentially, as it is supposed to be - Comparing this with [auth0's measurement][auth0-bcrypt], this takes slightly less time. It could be due to hardware improvement or implementation (Auth0 uses JavaScript) [auth0-bcrypt]: https://auth0.com/blog/hashing-in-action-understanding-bcrypt/#-bcrypt--Best-Practices