[keycloak-dev] profile results
Stian Thorgersen
stian at redhat.com
Tue Jun 3 06:23:53 EDT 2014
We could check if JS is available, and if it is we could run this on the client side before submitting the login form?
----- Original Message -----
> From: "Bruno Oliveira" <bruno at abstractj.org>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 3 June, 2014 11:10:23 AM
> Subject: Re: [keycloak-dev] profile results
>
> Good morning Bill, NIST recommends 1000 as the minimum
> (http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf). Look
> for "A
> minimum iteration count of 1,000 is recommended".
>
> So I think we can find the middle term, for example LastPass uses 5000
> (https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/).
>
> On 2014-06-02, Bill Burke wrote:
> > https://issues.jboss.org/browse/KEYCLOAK-508
> >
> > I wondering if we should have this default value low or high?
> >
> > On 6/2/2014 5:03 PM, Bill Burke wrote:
> > > I ran 10 threads each running 100 threads. I get a rate of about 31ms
> > > per loginpage/processLogin/accessCode2Token flow.
> > >
> > > According to JProfiler, 65% of time is spent in the password hashing
> > > algorithm. I guess this is not surprising because this password hashing
> > > algorithm is *supposed* to eat up CPU, right?
> > >
> > > BTW, running 20 threads concurrently I start to get deadlocks in the
> > > database around UserSession processing. Going to look into that.
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list