1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
---
title: "Bcrypt hashing time"
date: 2022-10-23
lang: en
categories: [ blog, software ]
tags: [miscellaneous, bcrypt, hashing, measurement]
translationKey: "2022-10-23-bcrypt-hashing-time"
---
## Measurements
This is mere some measurements I make notes for myself, nothing interesting to
see here.
I am implementing some authentication, so I was thinking how much cost should I
use. The way to determine is to measure how long it takes to hash the
password.
Here is the hardware I use:
- CPU: 11th Gen Intel i5-11400 (12) @ 4.400GHz
- GPU: Intel RocketLake-S GT1 [UHD Graphics 730]
- Memory: PNY 8GB
I hash 3 different types of password:
- short password: silly simple one, `short password`
- medium password: 20-character random password: `h*uwd'QS0Xozxg5j//+e`
- long password: a passphrase of 20 words: `helium policy snort overtone shakable poison corporate curve`
Here is the source code, consider it public domain or under [CC0 license][cc0]
if you want to use or copy it.
[cc0]: https://creativecommons.org/publicdomain/zero/1.0/legalcode
```go
package main
import (
"fmt"
"time"
"golang.org/x/crypto/bcrypt"
)
func main() {
short := "short pass"
medium := "h*uwd'QS0Xozxg5j//+e"
long := "helium policy snort overtone shakable poison corporate curve"
passwords := []string{short, medium, long}
for cost := 10; cost <= 20; cost++ {
fmt.Printf("Cost=%d\t", cost)
for _, password := range passwords {
start := time.Now()
bcrypt.GenerateFromPassword([]byte(password), cost)
elapsed := time.Since(start)
fmt.Printf("%s\t", elapsed)
}
fmt.Println("")
}
}
```
## Result
| Cost | short password | medium password | long password |
|------|----------------|-----------------|---------------|
| 10 | 48.672298ms | 48.202171ms | 48.294102ms |
| 11 | 96.106021ms | 96.47686ms | 96.032581ms |
| 12 | 193.138147ms | 192.942441ms | 193.234901ms |
| 13 | 385.703415ms | 385.518335ms | 385.230291ms |
| 14 | 774.508302ms | 777.079681ms | 775.36359ms |
| 15 | 1.546692701s | 1.545946171s | 1.565475155s |
| 16 | 3.092266749s | 3.092314898s | 3.124079405s |
| 17 | 6.19333026s | 6.177802493s | 6.195031959s |
| 18 | 12.396592375s | 12.384743249s | 12.407640266s |
| 19 | 24.824486642s | 24.793569567s | 24.870305097s |
| 20 | 50.026644158s | 49.712950076s | 49.596850425s |
## Comments
- Hashing time is not dependent on password length (sometimes it can take
slightly less time to hash longer password?). If I recall correctly,
shorter passwords are padded to required length anyways, so of course there
isn't much difference.
- Time increases exponentially, as it is supposed to be
- Comparing this with [auth0's measurement][auth0-bcrypt], this takes slightly
less time. It could be due to hardware improvement or implementation
(Auth0 uses JavaScript)
[auth0-bcrypt]: https://auth0.com/blog/hashing-in-action-understanding-bcrypt/#-bcrypt--Best-Practices
|