6

I'm learning about pass hashing at the moment in the context of nodejs and I was wondering what would you recommend as the salt level. The default level is 10 and I was wondering if this is good enough for basic applications with less than 10 users.

2 Answers2

8

To answer your question I made a simple test Python script:

#!/usr/bin/env python3

import bcrypt
import time

passwd = b's$cret12'
for i in range(4,17):
    print(f'Rounds:{i}')
    start = time.time()
    salt = bcrypt.gensalt(rounds=i)
    hashed = bcrypt.hashpw(passwd, salt)
    end = time.time()
    print(f'Rounds:{i} | Time: {end - start:.4f} s')

And got the following result on Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz:

Rounds:4 | Time: 0.0016 s
Rounds:5 | Time: 0.0029 s
Rounds:6 | Time: 0.0060 s
Rounds:7 | Time: 0.0115 s
Rounds:8 | Time: 0.0232 s
Rounds:9 | Time: 0.0459 s
Rounds:10 | Time: 0.0907 s /* Good enough */
Rounds:11 | Time: 0.1834 s /* Worth to consider */
Rounds:12 | Time: 0.3563 s /* >250ms as it discussed in comments */ 
Rounds:13 | Time: 0.7215 s 
Rounds:14 | Time: 1.4437 s /* In critical systems for superuser password */
Rounds:15 | Time: 2.9140 s
Rounds:16 | Time: 5.8405 s

Hence, you may consider these numbers to understand how long is to check 1 password against hash tables of common words.

Today, I would consider something around 0.1 second per password is good enough (if you don't allow users to use simple passwords like '123456'). Hence, consider 10 or 11 rounds.

  • Remember, it doesn't PROTECT your users, but just buying them time to change their passwords safely, once your database of passwords is compromised.
jcaron
  • 17,302
  • 6
  • 32
  • 46
Constantine Kurbatov
  • 685
  • 9
  • 12
  • 2
    The "Good enough", and even "Worth to consider" times above might still be considered too fast. From what I've read, a cost of 250ms for a hash is around the more normal target (obviously this is a general norm, but everyone should consider their own use case carefully). Ian Boyd's answer in this https://stackoverflow.com/questions/4443476/optimal-bcrypt-work-factor gives a bit more background to the 250ms time. – Jools Aug 20 '21 at 08:54
  • 1
    Thank you for the link! Appreciate it. Updated the original post. With that, I would say that it depends on a purpose. I still thinking that ~0.2s is enough (it is not far away from the proposed 250ms in the paper). But yes, it is worth aiming even to 1s in critical systems. – Constantine Kurbatov Aug 20 '21 at 16:38
2

It doesn't matter how many users you have. One could argue that if you only have 10 users then you have more resources per user to keep them secure.

A good answer to the question of how many rounds are ok is to answer a question - how many rounds can you afford without degrading performance?

Sometimes the defaults are fine but sometimes you can do better than that. You really have to test it yourself and measure the impact.

rsp
  • 107,747
  • 29
  • 201
  • 177