[keycloak-dev] profile results

Bruno Oliveira bruno at abstractj.org
Tue Jun 3 09:14:25 EDT 2014 

It pretty much depends on which machine the system will run, maybe
make password salting configurable is a good idea.

The number of iterations pretty much depends on the computational
resources, you can increase to 100.000.000 for example and make
the system vulnerable to DDoS.

On 2014-06-03, Bill Burke wrote:
> There is no sensible middle ground for password hashing IMO.
>
> http://stackoverflow.com/questions/6054082/recommended-of-iterations-when-using-pkbdf2-sha256
>
> Stackoverflow says that its recommended to do 64,000 iterations.  we do
> 20,000.
>
> http://en.wikipedia.org/wiki/PBKDF2
>
>
>
> On 6/3/2014 4:21 AM, Stian Thorgersen wrote:
> > My vote is for a sensible middle ground
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 2 June, 2014 10:50:01 PM
> >> Subject: Re: [keycloak-dev] profile results
> >>
> >> https://issues.jboss.org/browse/KEYCLOAK-508
> >>
> >> I wondering if we should have this default value low or high?
> >>
> >> On 6/2/2014 5:03 PM, Bill Burke wrote:
> >>> I ran 10 threads each running 100 threads.  I get a rate of about 31ms
> >>> per loginpage/processLogin/accessCode2Token flow.
> >>>
> >>> According to JProfiler, 65% of time is spent in the password hashing
> >>> algorithm.  I guess this is not surprising because this password hashing
> >>> algorithm is *supposed* to eat up CPU, right?
> >>>
> >>> BTW, running 20 threads concurrently I start to get deadlocks in the
> >>> database around UserSession processing.  Going to look into that.
> >>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj

More information about the keycloak-dev mailing list