In our web-application, we use jBcrypt for hashing passwords. We use 13 log_rounds when hashing the password.
Normally, BCrypt.checkpw() takes about 1 second. But from time to time (after a few days), it suddenly starts getting slow and takes almost 30 seconds from that time on and does not recover to normal speed.Restarting Tomcat is the only things that helps here.
I wouldn't wonder if that happened from time to time, for example if there is a high CPU load or a GC is running. But that's not the case, it just suddenly starts getting slow. Only the login-process is affected, the rest of the application is still fast. We also do not have any determinable memory leaks or other performance issues. It's just BCrypt.checkpw() that is slow. A thread-dump shows that the time is consumed by BCrypt.checkpw and subsequent method calls, especially BCrypt.encipher:
Thread 8597: (state = IN_JAVA)
- org.mindrot.jbcrypt.BCrypt.encipher(int[], int) @bci=0, line=490 (Interpreted frame)
- org.mindrot.jbcrypt.BCrypt.key(byte[]) @bci=122, line=562 (Interpreted frame)
- org.mindrot.jbcrypt.BCrypt.crypt_raw(byte[], byte[], int) @bci=89, line=629 (Compiled frame)
- org.mindrot.jbcrypt.BCrypt.hashpw(java.lang.String, java.lang.String) @bci=226, line=692 (Interpreted frame)
- org.mindrot.jbcrypt.BCrypt.checkpw(java.lang.String, java.lang.String) @bci=3, line=763 (Interpreted frame)
I've only found one similar issue here on SO, but multiple Classloaders can not be an issue in our case: Variable and degrading performance when using jbcrypt
Does anyone have an idea what's happening here?
