There is no sensible middle ground for password hashing IMO.
http://stackoverflow.com/questions/6054082/recommended-of-iterations-when...
Stackoverflow says that its recommended to do 64,000 iterations. we do
20,000.
http://en.wikipedia.org/wiki/PBKDF2
On 6/3/2014 4:21 AM, Stian Thorgersen wrote:
My vote is for a sensible middle ground
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 2 June, 2014 10:50:01 PM
> Subject: Re: [keycloak-dev] profile results
>
>
https://issues.jboss.org/browse/KEYCLOAK-508
>
> I wondering if we should have this default value low or high?
>
> On 6/2/2014 5:03 PM, Bill Burke wrote:
>> I ran 10 threads each running 100 threads. I get a rate of about 31ms
>> per loginpage/processLogin/accessCode2Token flow.
>>
>> According to JProfiler, 65% of time is spent in the password hashing
>> algorithm. I guess this is not surprising because this password hashing
>> algorithm is *supposed* to eat up CPU, right?
>>
>> BTW, running 20 threads concurrently I start to get deadlocks in the
>> database around UserSession processing. Going to look into that.
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com