Skip to main content Go hither if thou art a bot

Bcrypt hashing time

Measurements

This is mere some measurements I make notes for myself, nothing interesting to see here.

I am implementing some authentication, so I was thinking how much cost should I use. The way to determine is to measure how long it takes to hash the password.

Here is the hardware I use:

  • CPU: 11th Gen Intel i5-11400 (12) @ 4.400GHz
  • GPU: Intel RocketLake-S GT1 [UHD Graphics 730]
  • Memory: PNY 8GB

I hash 3 different types of password:

  • short password: silly simple one, short password
  • medium password: 20-character random password: h*uwd'QS0Xozxg5j//+e
  • long password: a passphrase of 20 words: helium policy snort overtone shakable poison corporate curve

Here is the source code, consider it public domain or under CC0 license if you want to use or copy it.

package main
import (
	"fmt"
	"time"
	"golang.org/x/crypto/bcrypt"
)

func main() {
	short := "short pass"
	medium := "h*uwd'QS0Xozxg5j//+e"
	long := "helium policy snort overtone shakable poison corporate curve"
	passwords := []string{short, medium, long}
	for cost := 10; cost <= 20; cost++ {
		fmt.Printf("Cost=%d\t", cost)
		for _, password := range passwords {
			start := time.Now()
			bcrypt.GenerateFromPassword([]byte(password), cost)
			elapsed := time.Since(start)
			fmt.Printf("%s\t", elapsed)
		}
		fmt.Println("")
	}
}

Result

Cost short password medium password long password
10 48.672298ms 48.202171ms 48.294102ms
11 96.106021ms 96.47686ms 96.032581ms
12 193.138147ms 192.942441ms 193.234901ms
13 385.703415ms 385.518335ms 385.230291ms
14 774.508302ms 777.079681ms 775.36359ms
15 1.546692701s 1.545946171s 1.565475155s
16 3.092266749s 3.092314898s 3.124079405s
17 6.19333026s 6.177802493s 6.195031959s
18 12.396592375s 12.384743249s 12.407640266s
19 24.824486642s 24.793569567s 24.870305097s
20 50.026644158s 49.712950076s 49.596850425s

Comments

  • Hashing time is not dependent on password length (sometimes it can take slightly less time to hash longer password?). If I recall correctly, shorter passwords are padded to required length anyways, so of course there isn’t much difference.
  • Time increases exponentially, as it is supposed to be
  • Comparing this with auth0’s measurement, this takes slightly less time. It could be due to hardware improvement or implementation (Auth0 uses JavaScript)


Would you like to discuss this post? Email me!