4:03 p.m.
I ran 10 threads each running 100 threads. I get a rate of about 31ms
per loginpage/processLogin/accessCode2Token flow.
According to JProfiler, 65% of time is spent in the password hashing
algorithm. I guess this is not surprising because this password hashing
algorithm is *supposed* to eat up CPU, right?
BTW, running 20 threads concurrently I start to get deadlocks in the
database around UserSession processing. Going to look into that.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:50 p.m.
https://issues.jboss.org/browse/KEYCLOAK-508
I wondering if we should have this default value low or high?
On 6/2/2014 5:03 PM, Bill Burke wrote:
I ran 10 threads each running 100 threads. I get a rate of about
31ms
per loginpage/processLogin/accessCode2Token flow.
According to JProfiler, 65% of time is spent in the password hashing
algorithm. I guess this is not surprising because this password hashing
algorithm is *supposed* to eat up CPU, right?
BTW, running 20 threads concurrently I start to get deadlocks in the
database around UserSession processing. Going to look into that.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:21 a.m.
My vote is for a sensible middle ground
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 2 June, 2014 10:50:01 PM
Subject: Re: [keycloak-dev] profile results
https://issues.jboss.org/browse/KEYCLOAK-508
I wondering if we should have this default value low or high?
On 6/2/2014 5:03 PM, Bill Burke wrote:
> I ran 10 threads each running 100 threads. I get a rate of about 31ms
> per loginpage/processLogin/accessCode2Token flow.
>
> According to JProfiler, 65% of time is spent in the password hashing
> algorithm. I guess this is not surprising because this password hashing
> algorithm is *supposed* to eat up CPU, right?
>
> BTW, running 20 threads concurrently I start to get deadlocks in the
> database around UserSession processing. Going to look into that.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:45 a.m.
There is no sensible middle ground for password hashing IMO.
http://stackoverflow.com/questions/6054082/recommended-of-iterations-when...
Stackoverflow says that its recommended to do 64,000 iterations. we do
20,000.
http://en.wikipedia.org/wiki/PBKDF2
On 6/3/2014 4:21 AM, Stian Thorgersen wrote:
My vote is for a sensible middle ground
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 2 June, 2014 10:50:01 PM
> Subject: Re: [keycloak-dev] profile results
>
> https://issues.jboss.org/browse/KEYCLOAK-508
>
> I wondering if we should have this default value low or high?
>
> On 6/2/2014 5:03 PM, Bill Burke wrote:
>> I ran 10 threads each running 100 threads. I get a rate of about 31ms
>> per loginpage/processLogin/accessCode2Token flow.
>>
>> According to JProfiler, 65% of time is spent in the password hashing
>> algorithm. I guess this is not surprising because this password hashing
>> algorithm is *supposed* to eat up CPU, right?
>>
>> BTW, running 20 threads concurrently I start to get deadlocks in the
>> database around UserSession processing. Going to look into that.
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:14 a.m.
It pretty much depends on which machine the system will run, maybe
make password salting configurable is a good idea.
The number of iterations pretty much depends on the computational
resources, you can increase to 100.000.000 for example and make
the system vulnerable to DDoS.
On 2014-06-03, Bill Burke wrote:
There is no sensible middle ground for password hashing IMO.
http://stackoverflow.com/questions/6054082/recommended-of-iterations-when...
Stackoverflow says that its recommended to do 64,000 iterations. we do
20,000.
http://en.wikipedia.org/wiki/PBKDF2
On 6/3/2014 4:21 AM, Stian Thorgersen wrote:
> My vote is for a sensible middle ground
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 2 June, 2014 10:50:01 PM
>> Subject: Re: [keycloak-dev] profile results
>>
>> https://issues.jboss.org/browse/KEYCLOAK-508
>>
>> I wondering if we should have this default value low or high?
>>
>> On 6/2/2014 5:03 PM, Bill Burke wrote:
>>> I ran 10 threads each running 100 threads. I get a rate of about 31ms
>>> per loginpage/processLogin/accessCode2Token flow.
>>>
>>> According to JProfiler, 65% of time is spent in the password hashing
>>> algorithm. I guess this is not surprising because this password hashing
>>> algorithm is *supposed* to eat up CPU, right?
>>>
>>> BTW, running 20 threads concurrently I start to get deadlocks in the
>>> database around UserSession processing. Going to look into that.
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
8:22 a.m.
On 6/3/2014 9:14 AM, Bruno Oliveira wrote:
It pretty much depends on which machine the system will run, maybe
make password salting configurable is a good idea.
I put in a JIRA for it. https://issues.jboss.org/browse/KEYCLOAK-508
The number of iterations pretty much depends on the computational
resources, you can increase to 100.000.000 for example and make
the system vulnerable to DDoS.
With the previous default of 20000 iterations it was *already*
vulnerable to DDoS.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:10 a.m.
Good morning Bill, NIST recommends 1000 as the minimum
(http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf). Look for "A
minimum iteration count of 1,000 is recommended".
So I think we can find the middle term, for example LastPass uses 5000
(https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/).
On 2014-06-02, Bill Burke wrote:
https://issues.jboss.org/browse/KEYCLOAK-508
I wondering if we should have this default value low or high?
On 6/2/2014 5:03 PM, Bill Burke wrote:
> I ran 10 threads each running 100 threads. I get a rate of about 31ms
> per loginpage/processLogin/accessCode2Token flow.
>
> According to JProfiler, 65% of time is spent in the password hashing
> algorithm. I guess this is not surprising because this password hashing
> algorithm is *supposed* to eat up CPU, right?
>
> BTW, running 20 threads concurrently I start to get deadlocks in the
> database around UserSession processing. Going to look into that.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
5:23 a.m.
We could check if JS is available, and if it is we could run this on the client side
before submitting the login form?
----- Original Message -----
From: "Bruno Oliveira" <bruno(a)abstractj.org>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 3 June, 2014 11:10:23 AM
Subject: Re: [keycloak-dev] profile results
Good morning Bill, NIST recommends 1000 as the minimum
(http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf). Look
for "A
minimum iteration count of 1,000 is recommended".
So I think we can find the middle term, for example LastPass uses 5000
(https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/).
On 2014-06-02, Bill Burke wrote:
> https://issues.jboss.org/browse/KEYCLOAK-508
>
> I wondering if we should have this default value low or high?
>
> On 6/2/2014 5:03 PM, Bill Burke wrote:
> > I ran 10 threads each running 100 threads. I get a rate of about 31ms
> > per loginpage/processLogin/accessCode2Token flow.
> >
> > According to JProfiler, 65% of time is spent in the password hashing
> > algorithm. I guess this is not surprising because this password hashing
> > algorithm is *supposed* to eat up CPU, right?
> >
> > BTW, running 20 threads concurrently I start to get deadlocks in the
> > database around UserSession processing. Going to look into that.
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3612
days inactive
3613
days old
7 comments
3 participants
participants (3)
-
Bill Burke -
Bruno Oliveira -
Stian Thorgersen