Skip to content

Update the default strength for password encoders #7411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
larsgrefer opened this issue Sep 9, 2019 · 5 comments
Closed

Update the default strength for password encoders #7411

larsgrefer opened this issue Sep 9, 2019 · 5 comments
Assignees
@rwinch
Labels
in: crypto An issue in spring-security-crypto status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@larsgrefer
Copy link
Contributor

I propose to increase the default strength for some password encoders.

The BCrypt encoder currently uses 10 as default strength, with which it only takes ~80ms to encode a password (on my Early 2015 MacBook Pro). I think the default should be increased to (at least) 12.

The Argon2 encoder only needs ~40ms, so its defaults should be increased too.

The SCrypt encoder needs ~80ms with its default parameters.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 9, 2019
@larsgrefer
Copy link
Contributor Author

The Spring Security Reference Documentation says:

It is recommended that the "work factor" be tuned to take about 1 second to verify a password on your system.

@jzheaux
Copy link
Contributor

jzheaux commented Sep 10, 2019

Thanks, @larsgrefer for checking on this.

@rwinch do we have a hardware profile that we target when determining when to increase this? My concern would be if we bump the number up to early, lots of folks suddenly see password hashing taking quite a bit longer than 1 second.

@larsgrefer
Copy link
Contributor Author

I've written a small test application and ran it on different systems: https://github.com/larsgrefer/password-encoder-tester

MacBook Pro (Early 2015, 2.7GHz i5)

BCryptPasswordEncoder : 98ms
SCryptPasswordEncoder : 81ms
Argon2PasswordEncoder : 19ms
Pbkdf2PasswordEncoder : 528ms

Hetzner CX30 Cloud Server (2.1GHz Intel Xeon)

BCryptPasswordEncoder : 129ms
SCryptPasswordEncoder : 117ms
Argon2PasswordEncoder : 29ms
Pbkdf2PasswordEncoder : 742ms

AMD FX6300 (8GB DDR3 RAM)

BCryptPasswordEncoder : 81ms
SCryptPasswordEncoder : 93ms
Argon2PasswordEncoder : 23ms
Pbkdf2PasswordEncoder : 597ms

Raspberry PI B (800MHz ARM)

BCryptPasswordEncoder : 1428ms
SCryptPasswordEncoder : 1929ms
Argon2PasswordEncoder : 1905ms
Pbkdf2PasswordEncoder : 17453ms

@jzheaux jzheaux added this to the 5.3.x milestone Sep 29, 2019
@jzheaux jzheaux added in: crypto An issue in spring-security-crypto type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 29, 2019
larsgrefer added a commit to larsgrefer/spring-security that referenced this issue Oct 28, 2021
@larsgrefer
Bump default BCrypt strength to 12
093c21c 
see spring-projects#7411
@larsgrefer larsgrefer mentioned this issue Oct 28, 2021
Closed
@jzheaux jzheaux mentioned this issue Nov 11, 2021
Closed
@larsgrefer larsgrefer mentioned this issue Nov 25, 2021
Closed
@rwinch rwinch removed this from the 5.3.x milestone May 31, 2022
@rwinch
Copy link
Member

rwinch commented Jun 7, 2022

Despite this being created first, I'm going to close this as a duplicate of gh-10506 in order to preserve the assignee

@rwinch rwinch closed this as completed Jun 7, 2022
@rwinch rwinch self-assigned this Jun 7, 2022
@rwinch rwinch added the status: duplicate A duplicate of another issue label Jun 7, 2022
@larsgrefer
Copy link
Contributor Author

MacBook Pro (2021, M1 Pro):

BCryptPasswordEncoder : 73ms
SCryptPasswordEncoder : 28ms
Argon2PasswordEncoder : 6ms
Pbkdf2PasswordEncoder : 295ms

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: crypto An issue in spring-security-crypto status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rwinch @jzheaux @larsgrefer @spring-projects-issues