It pretty much depends on which machine the system will run, maybe
make password salting configurable is a good idea.
The number of iterations pretty much depends on the computational
resources, you can increase to 100.000.000 for example and make
the system vulnerable to DDoS.
On 2014-06-03, Bill Burke wrote:
There is no sensible middle ground for password hashing IMO.
Stackoverflow says that its recommended to do 64,000 iterations. we do
On 6/3/2014 4:21 AM, Stian Thorgersen wrote:
> My vote is for a sensible middle ground
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 2 June, 2014 10:50:01 PM
>> Subject: Re: [keycloak-dev] profile results
>> I wondering if we should have this default value low or high?
>> On 6/2/2014 5:03 PM, Bill Burke wrote:
>>> I ran 10 threads each running 100 threads. I get a rate of about 31ms
>>> per loginpage/processLogin/accessCode2Token flow.
>>> According to JProfiler, 65% of time is spent in the password hashing
>>> algorithm. I guess this is not surprising because this password hashing
>>> algorithm is *supposed* to eat up CPU, right?
>>> BTW, running 20 threads concurrently I start to get deadlocks in the
>>> database around UserSession processing. Going to look into that.
>> Bill Burke
>> JBoss, a division of Red Hat
>> keycloak-dev mailing list
JBoss, a division of Red Hat
keycloak-dev mailing list