Good morning Bill, NIST recommends 1000 as the minimum
(
http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf). Look for "A
minimum iteration count of 1,000 is recommended".
So I think we can find the middle term, for example LastPass uses 5000
(
https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/).
On 2014-06-02, Bill Burke wrote:
https://issues.jboss.org/browse/KEYCLOAK-508
I wondering if we should have this default value low or high?
On 6/2/2014 5:03 PM, Bill Burke wrote:
> I ran 10 threads each running 100 threads. I get a rate of about 31ms
> per loginpage/processLogin/accessCode2Token flow.
>
> According to JProfiler, 65% of time is spent in the password hashing
> algorithm. I guess this is not surprising because this password hashing
> algorithm is *supposed* to eat up CPU, right?
>
> BTW, running 20 threads concurrently I start to get deadlocks in the
> database around UserSession processing. Going to look into that.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj