0

I have been going around the existing hashing algorithms to hash password for a small microservice that uses basic auth for authentication.

As per the community standard I chose bcrypt algo to hash the password. But after benchmarking the server using Apache Benchmark, I found out that 90% of the cpu cycles are being spent on verifying the password. To give a context, a t3.large was able to process 60 req/sec without authentication and only 6 req/sec with authentication logic.

I thought of doing a benchmarks using passlib library available in python and here are the results for 100 iterations using passlib with default settings -

print (timeit.timeit('my_ctx.verify("password", hash_sha256)', setup=setup, number=100))
40.74972726893611
print (timeit.timeit('my_ctx.verify("password", hash_md5)', setup=setup, number=100))
0.03434068092610687
print (timeit.timeit('my_ctx.verify("password", hash_des)', setup=setup, number=100))
0.01271090202499181
print (timeit.timeit('my_ctx.verify("password", hash_bcrypt)', setup=setup, number=100))
25.593560334993526
print (timeit.timeit('my_ctx.verify("password", hash_sha512)', setup=setup, number=100))
46.78381339798216
print (timeit.timeit('my_ctx.verify("password", hash_pbkdf2)', setup=setup, number=100))
2.236785114975646
print (timeit.timeit('my_ctx.verify("password", hash_argon2)', setup=setup, number=100))
12.668332702014595

I understand there are multiple rounds going on behind the scenes to hash it up. After changing the rounds for sha256 to 1000, there was a significant difference -

timeit.timeit('sha256_crypt.hash("password", rounds=1000)', setup=setup, number=100)

So my Question is -

For a small microservice that uses Basic Auth and not Token Based Authentication or any other means, I want to ask what is the optimum approach to be taken, so that the password is securely reside in a multi level secure database hosted on amazon servers?

cedzz
  • 389
  • 2
  • 9
  • 3
    It is very much on purpose that the password hashing *is slow*. That's literally what provides the security, because it realistically prevents brute force attacks on passwords. You'll need to dial the cost parameters to the right balance for your server, but keep them as expensive as possible. – deceze Sep 01 '20 at 06:53
  • Having said that, a login should be a one-time-per-session action, you shouldn't be doing this hash verification on every single request. You'll want a different auth mechanism then. – deceze Sep 01 '20 at 06:55
  • @deceze agreed on both of your comments. But what if I am restricted to use basic auth validation and wanted to have optimum performance on the api's as well, given limited sources available, what would be the optimum choice for algorithm? And if suppose I set 1000 rounds on sha256 algo, will that be okay? Will that be good enough? – cedzz Sep 01 '20 at 06:58
  • What exactly *are* your limits? What does "limited to basic auth" mean exactly? Why are you limited to only that? Could you use a *signature* algorithm instead? That basically works like basic auth in that you only need to send one value in the `Authorization` header, but is different from sending the plain password… – deceze Sep 01 '20 at 07:00
  • The requirements are for user name and password protected api for every request. – cedzz Sep 01 '20 at 07:01
  • Then that's very limiting indeed. You can perhaps cache the verified credentials server-side so you don't need to do the expensive hashing on every single request (e.g. store the username and a fast hash of the password in memory when authentication succeeded). – deceze Sep 01 '20 at 07:06
  • @cedzz Those requirements are really dumb, once a user has got a token they should not have to login again for some time. That is, unless each request is a transaction. Have one secure login is better than multiple logins. Note that you can have even 1 iteration if your passphrases are secure enough, maybe you can require a **really** complex passphrase, like 64 bit security or higher (normal passwords offer about 4 to 44 bits of security). – Maarten Bodewes Sep 01 '20 at 09:42

0 Answers0