I use bcrypt / blowfish in php, and when I set the cost parameter to $ 10 (1024 rounds, I think), the encryption process takes 0.1 seconds. If I set it to $ 12, it will take 0.3 seconds. My question is: Is it taking 0.3 seconds of processor time, if I have 100 users performing this process, all of them will have to wait 30 seconds (0.3 x 100)? (editing: may be shorter due to dual0core / multi-thread processing, but even 10 seconds is unacceptable).
Also: what is a good value to leave this cost parameter? some people recommend $ 16, but it takes more than 5 seconds on my site (hosted by a large web host).
by the way, I use the following code to check the time it takes:
<?php // set a password to work with $var1 = "doodoo1234"; //echo that password onto the screen echo $var1 . "<br /><br />"; //Start the clock $time_start = microtime(true); //Run blowfish function to encrypt the password $hashedpass = PassHash::blowfishhash($var1); //stop the clock $time_end = microtime(true); //echo the password to the screen echo $echohashedpass . "<br /><br />"; //Echo the length of the encrypted password to the screen //(this taught me that blowfish always returns a 60 varchar string) echo strlen($sajpass). "<br /><br />"; $time = $time_end - $time_start; echo "that took $time seconds\n"; ?>
? 7, , , , 4, . , . , ( ), . , , . 0,1 10, 5 6. 0,05 . ? .
, (4) . blowfish. - , , . - bcrypt. - , sha256 sha512. , , bcrypt.
bcrypt, , ( , bcrypt).
, 6 , , 7, , , . , .
, - ( , ), bcrypt . , , . , , , (, , -).