[keycloak-user] What is the effect on performance in changing the number of Hashing Iterations for the password.

[Bill Burke]

Recommended iterations is current 20,000.   This number will only 
increase.  This is also with pbkdf2 SHA-1.  SHA-256 might be more 
expensive, i don't know.  Here's the test I ran.  I do multiple 
iterations to warm up the JIT and such.  Averaged out to 84ms per hash.  
This was executed on my laptop.  Somebody on this list suggested that we 
also offer client-side hashing where the client's browser performs the 
hash.  That might make things scale better.

@Test public void testHashTim()throws Exception {
     int REPEATS =100;
     Pbkdf2PasswordHashProvider provider =new Pbkdf2PasswordHashProvider();
     long start = System.currentTimeMillis();
     for (int i =0; i < REPEATS; i++) {
         provider.encode("my3234pas234!word",20000);
     }
     System.out.println("time per: " + ((System.currentTimeMillis() - start)/REPEATS));
}



On 3/21/17 8:09 AM, Reed Lewis wrote:
> What is the true effect on performance in terms of the number of Hashing Iterations that can be configured for Keycloak?   There is of course a diminishing return in terms of security with more and more iterations, but that of course needs to be offset against the CPU power required to perform those iterations for each login.
>
> So is there any performance analysis of the different number of iterations and its effect on the capacity to handle users?
>
> Thank you.
> This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
> If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone.  Instead, destroy it and notify me by reply e-mail
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user