[keycloak-dev] profile results

Bruno Oliveira bruno at abstractj.org
Tue Jun 3 06:10:23 EDT 2014


Good morning Bill, NIST recommends 1000 as the minimum
(http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf). Look for "A
minimum iteration count of 1,000 is recommended".

So I think we can find the middle term, for example LastPass uses 5000 (https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/).

On 2014-06-02, Bill Burke wrote:
> https://issues.jboss.org/browse/KEYCLOAK-508
>
> I wondering if we should have this default value low or high?
>
> On 6/2/2014 5:03 PM, Bill Burke wrote:
> > I ran 10 threads each running 100 threads.  I get a rate of about 31ms
> > per loginpage/processLogin/accessCode2Token flow.
> >
> > According to JProfiler, 65% of time is spent in the password hashing
> > algorithm.  I guess this is not surprising because this password hashing
> > algorithm is *supposed* to eat up CPU, right?
> >
> > BTW, running 20 threads concurrently I start to get deadlocks in the
> > database around UserSession processing.  Going to look into that.
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj


More information about the keycloak-dev mailing list