about summary refs log tree commit diff
path: root/content/posts/2022-10-23-bcrypt-hashing-time.md
blob: a77ed72a28da3a7e1e2692ed23deb88f8f69caed (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
---
title: "Bcrypt hashing time"
date: 2022-10-23
lang: en
categories: [ blog ]
tags: [miscellaneous, bcrypt, hashing, measurement]
translationKey: "2022-10-23-bcrypt-hashing-time"
---

## Measurements

This is mere some measurements I make notes for myself, nothing interesting to
see here.

I am implementing some authentication, so I was thinking how much cost should I
use.  The way to determine is to measure how long it takes to hash the
password.

Here is the hardware I use:

- CPU: 11th Gen Intel i5-11400 (12) @ 4.400GHz
- GPU: Intel RocketLake-S GT1 [UHD Graphics 730]
- Memory: PNY 8GB

I hash 3 different types of password:

- short password: silly simple one, `short password`
- medium password: 20-character random password: `h*uwd'QS0Xozxg5j//+e`
- long password: a passphrase of 20 words: `helium policy snort overtone shakable poison corporate curve`

Here is the source code, consider it public domain or under [CC0 license][cc0]
if you want to use or copy it.

[cc0]: https://creativecommons.org/publicdomain/zero/1.0/legalcode

```go
package main
import (
	"fmt"
	"time"
	"golang.org/x/crypto/bcrypt"
)

func main() {
	short := "short pass"
	medium := "h*uwd'QS0Xozxg5j//+e"
	long := "helium policy snort overtone shakable poison corporate curve"
	passwords := []string{short, medium, long}
	for cost := 10; cost <= 20; cost++ {
		fmt.Printf("Cost=%d\t", cost)
		for _, password := range passwords {
			start := time.Now()
			bcrypt.GenerateFromPassword([]byte(password), cost)
			elapsed := time.Since(start)
			fmt.Printf("%s\t", elapsed)
		}
		fmt.Println("")
	}
}
```

## Result

| Cost | short password | medium password | long password |
|------|----------------|-----------------|---------------|
| 10   | 48.672298ms    | 48.202171ms     | 48.294102ms   |
| 11   | 96.106021ms    | 96.47686ms      | 96.032581ms   |
| 12   | 193.138147ms   | 192.942441ms    | 193.234901ms  |
| 13   | 385.703415ms   | 385.518335ms    | 385.230291ms  |
| 14   | 774.508302ms   | 777.079681ms    | 775.36359ms   |
| 15   | 1.546692701s   | 1.545946171s    | 1.565475155s  |
| 16   | 3.092266749s   | 3.092314898s    | 3.124079405s  |
| 17   | 6.19333026s    | 6.177802493s    | 6.195031959s  |
| 18   | 12.396592375s  | 12.384743249s   | 12.407640266s |
| 19   | 24.824486642s  | 24.793569567s   | 24.870305097s |
| 20   | 50.026644158s  | 49.712950076s   | 49.596850425s |

## Comments

- Hashing time is not dependent on password length (sometimes it can take
    slightly less time to hash longer password?). If I recall correctly,
    shorter passwords are padded to required length anyways, so of course there
    isn't much difference.
- Time increases exponentially, as it is supposed to be
- Comparing this with [auth0's measurement][auth0-bcrypt], this takes slightly
    less time. It could be due to hardware improvement or implementation
    (Auth0 uses JavaScript)

[auth0-bcrypt]: https://auth0.com/blog/hashing-in-action-understanding-bcrypt/#-bcrypt--Best-Practices