It pretty much depends on which machine the system will run, maybe
make password salting configurable is a good idea.
The number of iterations pretty much depends on the computational
resources, you can increase to 100.000.000 for example and make
the system vulnerable to DDoS.
On 2014-06-03, Bill Burke wrote:
There is no sensible middle ground for password hashing IMO.
http://stackoverflow.com/questions/6054082/recommended-of-iterations-when...
Stackoverflow says that its recommended to do 64,000 iterations. we do
20,000.
http://en.wikipedia.org/wiki/PBKDF2
On 6/3/2014 4:21 AM, Stian Thorgersen wrote:
> My vote is for a sensible middle ground
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 2 June, 2014 10:50:01 PM
>> Subject: Re: [keycloak-dev] profile results
>>
>>
https://issues.jboss.org/browse/KEYCLOAK-508
>>
>> I wondering if we should have this default value low or high?
>>
>> On 6/2/2014 5:03 PM, Bill Burke wrote:
>>> I ran 10 threads each running 100 threads. I get a rate of about 31ms
>>> per loginpage/processLogin/accessCode2Token flow.
>>>
>>> According to JProfiler, 65% of time is spent in the password hashing
>>> algorithm. I guess this is not surprising because this password hashing
>>> algorithm is *supposed* to eat up CPU, right?
>>>
>>> BTW, running 20 threads concurrently I start to get deadlocks in the
>>> database around UserSession processing. Going to look into that.
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev