bcrypt message queues

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

bcrypt message queues

Richard Jonas
Hey guys,

we are implementing user registration and password checking functionality and using bcrypt for password hashing. During registration and also during login we need to compute the hashes of the passwords. The problem is that bcrypt is serializing requests even when I choose nif or port mechanism.


With nif a message queue is instantly built when multiple users log in (compute hashes for match password). With a pool size+port implementation, the message queue building has just deferred a bit.

Is there any alternative to creating bcrypt-like hashes? For me it seems that this library cannot be scaled well. Or have I missed something?

--
Richard Jonas
Erlang Solutions Hungary Kft

Address:
  Riverpark Office K.32
  Közraktár street 32. 3/1.
  1093 Budapest
  Hungary
Phone/fax:
  +36-1-7000-654

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: bcrypt message queues

dmkolesnikov
Hello,

I've played with pbkdf2 function for same purpose. It is based on hmac from crypto library. 

https://github.com/fogfish/hash

Someone, might disagree about pbkdf2 due to some of it's features but it works for me (tm) 

- Dmitry

Sent from my iPhone

On 30 May 2016, at 17:38, Richard Jonas <[hidden email]> wrote:

Hey guys,

we are implementing user registration and password checking functionality and using bcrypt for password hashing. During registration and also during login we need to compute the hashes of the passwords. The problem is that bcrypt is serializing requests even when I choose nif or port mechanism.


With nif a message queue is instantly built when multiple users log in (compute hashes for match password). With a pool size+port implementation, the message queue building has just deferred a bit.

Is there any alternative to creating bcrypt-like hashes? For me it seems that this library cannot be scaled well. Or have I missed something?

--
Richard Jonas
Erlang Solutions Hungary Kft

Address:
  Riverpark Office K.32
  Közraktár street 32. 3/1.
  1093 Budapest
  Hungary
Phone/fax:
  +36-1-7000-654
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: bcrypt message queues

Paul Oliver-2
In reply to this post by Richard Jonas
Hi Richard,

I have a fork that uses a pool of ports. It's being used in production and has been verified to process requests concurrently. 


Paul.

On Tue, 31 May 2016, 02:45 Richard Jonas, <[hidden email]> wrote:
Hey guys,

we are implementing user registration and password checking functionality and using bcrypt for password hashing. During registration and also during login we need to compute the hashes of the passwords. The problem is that bcrypt is serializing requests even when I choose nif or port mechanism.


With nif a message queue is instantly built when multiple users log in (compute hashes for match password). With a pool size+port implementation, the message queue building has just deferred a bit.

Is there any alternative to creating bcrypt-like hashes? For me it seems that this library cannot be scaled well. Or have I missed something?

--
Richard Jonas
Erlang Solutions Hungary Kft

Address:
  Riverpark Office K.32
  Közraktár street 32. 3/1.
  1093 Budapest
  Hungary
Phone/fax:
  +36-1-7000-654
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: bcrypt message queues

Sverker Eriksson-4
In reply to this post by Richard Jonas
How heavy duty is this bcrypt?
Does it take milliseconds to hash one little password?

/Sverker


On 05/30/2016 04:38 PM, Richard Jonas wrote:
Hey guys,

we are implementing user registration and password checking functionality
and using bcrypt for password hashing. During registration and also during
login we need to compute the hashes of the passwords. The problem is that
bcrypt is serializing requests even when I choose nif or port mechanism.

https://github.com/chef/erlang-bcrypt

With nif a message queue is instantly built when multiple users log in
(compute hashes for match password). With a pool size+port implementation,
the message queue building has just deferred a bit.

Is there any alternative to creating bcrypt-like hashes? For me it seems
that this library cannot be scaled well. Or have I missed something?



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: bcrypt message queues

Technion

Hi,


If it takes less than "milliseconds", it's broken.


Standard recommendations are 50ms.


From: [hidden email] <[hidden email]> on behalf of Sverker Eriksson <[hidden email]>
Sent: Tuesday, 31 May 2016 6:56:05 PM
To: Richard Jonas
Cc: [hidden email]
Subject: Re: [erlang-questions] bcrypt message queues
 
How heavy duty is this bcrypt?
Does it take milliseconds to hash one little password?

/Sverker


On 05/30/2016 04:38 PM, Richard Jonas wrote:
Hey guys,

we are implementing user registration and password checking functionality
and using bcrypt for password hashing. During registration and also during
login we need to compute the hashes of the passwords. The problem is that
bcrypt is serializing requests even when I choose nif or port mechanism.

https://github.com/chef/erlang-bcrypt

With nif a message queue is instantly built when multiple users log in
(compute hashes for match password). With a pool size+port implementation,
the message queue building has just deferred a bit.

Is there any alternative to creating bcrypt-like hashes? For me it seems
that this library cannot be scaled well. Or have I missed something?



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: bcrypt message queues

Richard Jonas
In reply to this post by Sverker Eriksson-4
I load tested with a vm (so the numbers are not relevant but the ratios). Oliver's fork spawns as many bcrypt_port (as a pool of ports) as many schedulers we have. Makes sense. The chef/erlang-bcrypt can spawn as many as we want (pool_size config key).

I used round = 12, which took 42,000-60,000ms if we spawned 100 of workers on a single core (ok, bad idea, but load testing is such).
With round = 4, it took 400-2100ms (median is 700ms) with the same number of workers.

@Sverker: 1 password from shell took 5ms to hash.

If I have time and possibility I embed bcrypt library into basho bench, and load test bcrypt that way. Because right now I load test it via cowboy rest api. So with round 4 we can say that other components will be the bottleneck, not the bcrypt.


On Tue, May 31, 2016 at 10:56 AM, Sverker Eriksson <[hidden email]> wrote:
How heavy duty is this bcrypt?
Does it take milliseconds to hash one little password?

/Sverker



On 05/30/2016 04:38 PM, Richard Jonas wrote:
Hey guys,

we are implementing user registration and password checking functionality
and using bcrypt for password hashing. During registration and also during
login we need to compute the hashes of the passwords. The problem is that
bcrypt is serializing requests even when I choose nif or port mechanism.

https://github.com/chef/erlang-bcrypt

With nif a message queue is instantly built when multiple users log in
(compute hashes for match password). With a pool size+port implementation,
the message queue building has just deferred a bit.

Is there any alternative to creating bcrypt-like hashes? For me it seems
that this library cannot be scaled well. Or have I missed something?



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions




--
Richard Jonas
Erlang Solutions Hungary Kft

Address:
  Riverpark Office K.32
  Közraktár street 32. 3/1.
  1093 Budapest
  Hungary
Phone/fax:
  +36-1-7000-654

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: bcrypt message queues

Stanislaw Klekot
In reply to this post by Sverker Eriksson-4
On Tue, May 31, 2016 at 10:56:05AM +0200, Sverker Eriksson wrote:
> How heavy duty is this bcrypt?
> Does it take milliseconds to hash one little password?

Password hashes are *designed* to take long time to compute (e.g.
a semi-traditional MD5-based crypt() is MD5 hash applied 1000 times,
each time to the result of previous computation). This is to make
precomputation attacks so much more costly.

Having that said, https://github.com/chef/erlang-bcrypt has its
internals sub-par, as it runs two processes (one for NIF and one for
port driver; why port driver? there's no state to maintain between
calls as far as I'm aware), and NIF is always called in one. This makes
a great example of an unnecessary bottleneck.

--
Stanislaw Klekot
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: bcrypt message queues

Technion
Is there any particularly great documentation on how to ensure a NIF doesn't fall into these traps?
I'm going to have a need for Argon2 at some point, at the moment making such a NIF looks well over my head.

________________________________________
From: [hidden email] <[hidden email]> on behalf of Stanislaw Klekot <[hidden email]>
Sent: Tuesday, 31 May 2016 7:31:25 PM
To: Sverker Eriksson
Cc: [hidden email]
Subject: Re: [erlang-questions] bcrypt message queues

On Tue, May 31, 2016 at 10:56:05AM +0200, Sverker Eriksson wrote:
> How heavy duty is this bcrypt?
> Does it take milliseconds to hash one little password?

Password hashes are *designed* to take long time to compute (e.g.
a semi-traditional MD5-based crypt() is MD5 hash applied 1000 times,
each time to the result of previous computation). This is to make
precomputation attacks so much more costly.

Having that said, https://github.com/chef/erlang-bcrypt has its
internals sub-par, as it runs two processes (one for NIF and one for
port driver; why port driver? there's no state to maintain between
calls as far as I'm aware), and NIF is always called in one. This makes
a great example of an unnecessary bottleneck.

--
Stanislaw Klekot
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions