Last active
June 27, 2019 14:31
-
-
Save mxbrandi/7f23faab72fb79f08c3cadbe8d2c3e46 to your computer and use it in GitHub Desktop.
Find appropriate iteration count for bcryptjs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // According to the OWASP recommendation, the iteration count should be increased until the hash computation takes around 1 second. | |
| // Other recommendations are between 250 and 500 ms. | |
| // This procedure is performed, since the short delay is acceptable by the user but it thwarts password attacks (rainbow tables/brute force) effectively. | |
| // Run this script on the target system and find the appropriate number of iterations by looking at the execution time. | |
| // Requirements: `npm install bcryptjs` | |
| const bcrypt = require('bcryptjs'); | |
| const password = 'superHighsecurePassword1235!!$'; | |
| console.log('Workload\tIterations\tTime (Seconds)') | |
| // bcrypt forces the range of rounds to [4..31] | |
| // internally, the workload parameter N expands to 2^N iterations of hashing | |
| for (let i = 4; i < 32; i++) { | |
| const iterations = 2 ** i; | |
| let hrstart = process.hrtime(); | |
| const hash = bcrypt.hashSync(password, i); | |
| let hrend = process.hrtime(hrstart); | |
| console.log(`${i}\t\t${iterations}\t\t${hrend[0]}.${hrend[1]}`); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment