Using bcrypt on App Engine seems to run very slow when hashing passwords, I've read that the recommended (at least since 2017) was 10 or more rounds and that it should be based on the time it takes to process the encryption/decryption rather than a set number of rounds. Nonetheless when we tried setting different log_round values starting at 10 it takes a very long time, to the extent that we hit the DeadlineExceededError which ocurres on GAE if the request takes more than 60 seconds! We are using the default F1 instance class as we didn't set it to another class in the app.yaml.
We tested on F2 and F4 instances which were indeed faster, but still generally slow form UX perspective. I think it took ~5 seconds on an F2 instance for 7 log_rounds! Is there a known issue for this particular library? Is passlib a better choice? Or is this behavior normal? We think we might be missing something here, but not sure what!
from pybcrypt import bcrypt
# What we use for hashing
user_pass = "secret_password"
password = bcrypt.hashpw(user_pass, bcrypt.gensalt(log_rounds = 10))
# What we use to verify correct password
if bcrypt.hashpw(password_attempt, user.hashed_password) == user.hashed_password:
#User login success
print "Logged in!"
else:
#User login failed
print "Wrong credentials!"
Some of the posts I went through:
1) https://security.stackexchange.com/questions/17207/recommended-of-rounds-for-bcrypt
