When generating hashed data for "HTTP Basic" login auth protection, using
bcrypt as the hash algorithm, one can vary the resultant hash strength by
varying specify bcrypt's $cost, e.g.
php -r "echo password_hash('$my_pass', PASSWORD_BCRYPT, ['cost' =>
$cost]) . PHP_EOL;"
Of course, increased $cost requires increased encryption time.
E.g., on my desktop, the hash encryption times vary with cost as,
cost time
5 0m0.043s
6 0m0.055s
7 0m0.059s
8 0m0.075s
9 0m0.081s
10 0m0.110s
11 0m0.169s
12 0m0.285s
13 0m0.518s
14 0m0.785s
15 0m1.945s
16 0m3.782s
17 0m7.512s
18 0m14.973s
19 0m29.903s
20 0m59.735s
21 1m59.418s
22 3m58.792s
...
For site login usage, does *client* login time vary at all with the hash $cost?
Other than the initial, one-time hash generation, is there any
login-performance reason NOT to use the highest hash $cost?
_______________________________________________
nginx-devel mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx-devel
