> (And no, it does not look like an appropriate question for the
> nginx-devel@ list. Consider using nginx@ instead.)

k.


On 7/2/19 5:23 PM, Maxim Dounin wrote:
> On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:
>
>> When generating hashed data for "HTTP Basic" login auth
>> protection, using bcrypt as the hash algorithm, one can vary the
>> resultant hash strength by varying specify bcrypt's $cost, e.g.
>
> [...]
>
>> For site login usage, does *client* login time vary at all with
>> the hash $cost?
>>
>> Other than the initial, one-time hash generation, is there any
>> login-performance reason NOT to use the highest hash $cost?
>
> With Basic HTTP authentication, hashing happens on every user
> request. That is, with high costs you are likely make your site
> completely unusable.

Noted.

*ARE* there authentication mechanisms available that do NOT hash on
every request? Perhaps via some mode of secure caching?

AND, that still maintain a high algorithmic cost to prevent breach
attemtps, or at least maximize their efforts?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx