Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Reduce bcrypt cost for faster login on small devices #3718

Closed
lastzero opened this issue Sep 12, 2023 · 1 comment
Closed

Auth: Reduce bcrypt cost for faster login on small devices #3718

lastzero opened this issue Sep 12, 2023 · 1 comment
Assignees
@lastzero
Labels
enhancement Optimization, improvement or maintenance task performance Performance Optimization released Available in the stable release security Impact on server or browser security tested Changes have been tested successfully

Comments

@lastzero
Copy link
Member

As a user of a small device like a NAS or a Raspberry Pi, I would like the cost of the bcrypt password to be lower so that logging in does not take a very long time (or even timeout).

The default password cost (2^number of rounds) of most implementations is 11 and the current cost in PhotoPrism is 14, so we reduce it to 121, which is still more secure than what most other applications use:

Cost Iterations
8 256 iterations
9 512 iterations
10 1,024 iterations
11 2,048 iterations
12 4,096 iterations
13 8,192 iterations
14 16,384 iterations
15 32,768 iterations
16 65,536 iterations

Footnotes

  1. Developers can change this value in internal/entity/password.go to use a higher/lower cost in custom builds, depending on their needs.

@lastzero lastzero added enhancement Optimization, improvement or maintenance task security Impact on server or browser security performance Performance Optimization labels Sep 12, 2023
@lastzero lastzero self-assigned this Sep 12, 2023
@lastzero lastzero changed the title Auth: Reduce bcrypt password cost for faster login on small devices Auth: Reduce bcrypt cost for faster login on small devices Sep 12, 2023
lastzero added a commit that referenced this issue Sep 12, 2023
@lastzero
Auth: Reduce bcrypt cost for faster login on small devices #3718
096b306 
Signed-off-by: Michael Mayer <michael@photoprism.app>
@lastzero lastzero added the please-test Ready for acceptance test label Sep 12, 2023
@graciousgrey graciousgrey added tested Changes have been tested successfully released Available in the stable release and removed please-test Ready for acceptance test labels Sep 20, 2023
@maxime1992
Copy link

I've seen this week that Laravel Php framework have advise people to increase the default (10 rounds) to 12. So having it to 12 here as well sounds sensible to me :)

@lastzero lastzero mentioned this issue Oct 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lastzero lastzero

Labels
enhancement Optimization, improvement or maintenance task performance Performance Optimization released Available in the stable release security Impact on server or browser security tested Changes have been tested successfully
Projects
Roadmap 🚀✨
Status: Release 🌈
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lastzero @maxime1992 @graciousgrey