> (And no, it does not look like an appropriate question for the
> nginx-devel@ list. Consider using nginx@ instead.)
k.
On 7/2/19 5:23 PM, Maxim Dounin wrote:
On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:
When generating hashed data for "HTTP Basic" login auth
protection, using bcrypt as the hash algorithm, one can vary the
resultant hash strength by varying specify bcrypt's $cost, e.g.
[...]
For site login usage, does *client* login time vary at all with
the hash $cost?
Other than the initial, one-time hash generation, is there any
login-performance reason NOT to use the highest hash $cost?
With Basic HTTP authentication, hashing happens on every user
request. That is, with high costs you are likely make your site
completely unusable.
Noted.
*ARE* there authentication mechanisms available that do NOT hash on
every request? Perhaps via some mode of secure caching?
AND, that still maintain a high algorithmic cost to prevent breach
attemtps, or at least maximize their efforts?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
