7:09 a.m.
What is the true effect on performance in terms of the number of Hashing Iterations that
can be configured for Keycloak? There is of course a diminishing return in terms of
security with more and more iterations, but that of course needs to be offset against the
CPU power required to perform those iterations for each login.
So is there any performance analysis of the different number of iterations and its effect
on the capacity to handle users?
Thank you.
This message is the property of CARBONITE, INC. and may contain confidential or privileged
information.
If this message has been delivered to you by mistake, then do not copy or deliver this
message to anyone. Instead, destroy it and notify me by reply e-mail
8:25 a.m.
Recommended iterations is current 20,000. This number will only
increase. This is also with pbkdf2 SHA-1. SHA-256 might be more
expensive, i don't know. Here's the test I ran. I do multiple
iterations to warm up the JIT and such. Averaged out to 84ms per hash.
This was executed on my laptop. Somebody on this list suggested that we
also offer client-side hashing where the client's browser performs the
hash. That might make things scale better.
@Test public void testHashTim()throws Exception {
int REPEATS =100;
Pbkdf2PasswordHashProvider provider =new Pbkdf2PasswordHashProvider();
long start = System.currentTimeMillis();
for (int i =0; i < REPEATS; i++) {
provider.encode("my3234pas234!word",20000);
}
System.out.println("time per: " + ((System.currentTimeMillis() -
start)/REPEATS));
}
On 3/21/17 8:09 AM, Reed Lewis wrote:
What is the true effect on performance in terms of the number of
Hashing Iterations that can be configured for Keycloak? There is of course a diminishing
return in terms of security with more and more iterations, but that of course needs to be
offset against the CPU power required to perform those iterations for each login.
So is there any performance analysis of the different number of iterations and its effect
on the capacity to handle users?
Thank you.
This message is the property of CARBONITE, INC. and may contain confidential or
privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this
message to anyone. Instead, destroy it and notify me by reply e-mail
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2843
days inactive
2843
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Reed Lewis