bcrypt.compare very slow on production servers

[adamreisnz]

I am using the bcryptjs library in a Node project and am comparing a password that has been salted with 15 rounds. On any of my computers, this comparison is done in about 150ms. However, on Heroku servers, this comparison takes 8-9 seconds (for a 18 character password):

Sep 9 10:09:58 app[web] info Comparing password: 8967.025ms
Sep 9 10:12:25 app[web] info Comparing password: 8562.370ms

After switching to bcrypt for comparison, it reduced to about 2.5 seconds:

Sep 9 10:15:38 app[web] info Comparing password: 2635.010ms

While about 3.5 times faster, this still seems rather long compared to running on a local machine. Is it memory or processing power that affects this duration?

[dcodeIO]

Looks like an issue with processing power to me. Also, if you have the opportunity to use native packages, you should favor bcrypt instead of this library.

[adamreisnz]

Yep I've switched it bcrypt now, that's at least somewhat faster, but still 10x as slow as on a local machine :(

[julianlam]

By any chance... are you using 16.04 in your dyno?

[adamreisnz]

Nah, it runs on the cedar-14 stack, which is Ubuntu 14.04

[julianlam]

Oh well. I happen to be running into the same problem on DigitalOcean via their 16.04 image.

[Smert]

EventLoop blocking:

  console.time('A');
  bcrypt.compare(record.password, admin.password, () => {});
  bcrypt.compare(record.password, admin.password, () => {});
  bcrypt.compare(record.password, admin.password, () => {});
  console.timeEnd('A');

A: 410.287ms

After switching to bcrypt

A: 5.101ms

WOW

[Ruffio]

It looks like this 'issue' can be closed now...