Bcrypt hashing time

Measurements

This is mere some measurements I make notes for myself, nothing interesting to see here.

I am implementing some authentication, so I was thinking how much cost should I use. The way to determine is to measure how long it takes to hash the password.

Here is the hardware I use:

• CPU: 11th Gen Intel i5-11400 (12) @ 4.400GHz
• GPU: Intel RocketLake-S GT1 [UHD Graphics 730]
• Memory: PNY 8GB

I hash 3 different types of password:

• short password: silly simple one, short password
• medium password: 20-character random password: h*uwd'QS0Xozxg5j//+e
• long password: a passphrase of 20 words: helium policy snort overtone shakable poison corporate curve

Here is the source code, consider it public domain or under CC0 license if you want to use or copy it.

package main
import (
	"fmt"
	"time"
	"golang.org/x/crypto/bcrypt"
)

func main() {
	short := "short pass"
	medium := "h*uwd'QS0Xozxg5j//+e"
	long := "helium policy snort overtone shakable poison corporate curve"
	passwords := []string{short, medium, long}
	for cost := 10; cost <= 20; cost++ {
		fmt.Printf("Cost=%d\t", cost)
		for _, password := range passwords {
			start := time.Now()
			bcrypt.GenerateFromPassword([]byte(password), cost)
			elapsed := time.Since(start)
			fmt.Printf("%s\t", elapsed)
		}
		fmt.Println("")
	}
}

Result

Comments

• Hashing time is not dependent on password length (sometimes it can take slightly less time to hash longer password?). If I recall correctly, shorter passwords are padded to required length anyways, so of course there isn’t much difference.
• Time increases exponentially, as it is supposed to be
• Comparing this with auth0’s measurement, this takes slightly less time. It could be due to hardware improvement or implementation (Auth0 uses JavaScript)