[keycloak-dev] profile results

Bill Burke bburke at redhat.com
Tue Jun 3 08:45:11 EDT 2014


There is no sensible middle ground for password hashing IMO.

http://stackoverflow.com/questions/6054082/recommended-of-iterations-when-using-pkbdf2-sha256

Stackoverflow says that its recommended to do 64,000 iterations.  we do 
20,000.

http://en.wikipedia.org/wiki/PBKDF2



On 6/3/2014 4:21 AM, Stian Thorgersen wrote:
> My vote is for a sensible middle ground
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 2 June, 2014 10:50:01 PM
>> Subject: Re: [keycloak-dev] profile results
>>
>> https://issues.jboss.org/browse/KEYCLOAK-508
>>
>> I wondering if we should have this default value low or high?
>>
>> On 6/2/2014 5:03 PM, Bill Burke wrote:
>>> I ran 10 threads each running 100 threads.  I get a rate of about 31ms
>>> per loginpage/processLogin/accessCode2Token flow.
>>>
>>> According to JProfiler, 65% of time is spent in the password hashing
>>> algorithm.  I guess this is not surprising because this password hashing
>>> algorithm is *supposed* to eat up CPU, right?
>>>
>>> BTW, running 20 threads concurrently I start to get deadlocks in the
>>> database around UserSession processing.  Going to look into that.
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list