We have a large Java web application and have to switch the hashing algorithm to Argon2id.
We did a load test with 20 concurrent logins to get a feel for the response times and find the right parameters. (In production, there are 3x as much concurrent logins per server instance)
Independent of the chosen parameters (we settled for $argon2id$v=19$m=31250,t=8,p=1), the response times from the Argon2id implementation were highly inconsistent:
90% of the hashes were completed in < 0.5 seconds, followed by 10 or so calls that took 4 or 5 seconds. After that spike, it would return to < 0.5 seconds.
With more secure parameters, the spikes would reach over 10 seconds.
My guess is that the delays are caused by the garbage collection. We lowered the memory usage, but the problem remained the same.
The platform is WebSphere 9, the implementation is:
<dependency>
<groupId>de.mkammerer</groupId>
<artifactId>argon2-jvm</artifactId>
<version>2.10.1</version>
</dependency>
So, how can one use Argon2id in a high traffic web application? Try another implementation? Tweak the GC somehow?
Has anyone used it in a large webapp?
