Bcrypt在Go语言中需要很长时间吗?

huangapple go评论84阅读模式
英文:

Bcrypt takes a lot of time in go?

问题

我在GO gin中使用了bcrypt包,奇怪的是,当我对任何密码进行Bcrypt处理时,响应时间需要500毫秒到900毫秒。

代码如下:

package main

import (
	"github.com/gin-gonic/gin"
	"golang.org/x/crypto/bcrypt"
)

type User struct {
	ID       uint
	Name     string
	Email    string
	Password []byte
}

func (user *User) HashPassword(password []byte) {
	hashedPassword, _ := bcrypt.GenerateFromPassword(password, 12)
	user.Password = hashedPassword
}

func main() {
	r := gin.Default()

	r.GET("/user", func(c *gin.Context) {

		user := User{
			Name:     "test",
			Email:    "test@gmail.com",
			Password: []byte("password"),
		}

		user.HashPassword(user.Password)

		c.JSON(200, gin.H{
			"message": "done",
		})
	})

	r.Run(":5050")
}

我从Postman进行了基准测试,结果为状态:200 OK 时间:800毫秒

为什么这个包需要这么长的时间呢?

英文:

I have used bcrypt package with GO gin, the weird thing is when I Bcrypt any password it takes like 500ms to 900ms in response

the code:

package main

import (
	"github.com/gin-gonic/gin"
	"golang.org/x/crypto/bcrypt"
)

type User struct {
	ID       uint
	Name     string
	Email    string
	Password []byte
}

func (user *User) HashPassword(password []byte) {
	hashedPassword, _ := bcrypt.GenerateFromPassword(password, 12)
	user.Password = hashedPassword
}

func main() {
	r := gin.Default()

	r.GET("/user", func(c *gin.Context) {

		user := User{
			Name:     "test",
			Email:    "test@gmail.com",
			Password: []byte("password"),
		}

		user.HashPassword(user.Password)

		c.JSON(200, gin.H{
			"message": "done",
		})
	})

	r.Run(":5050")
}

I benchmark from Postman status: 200 OK Time: 800ms

Why this pkg take this time!?

答案1

得分: 8

这就是 BCrypt 这样的密钥派生函数的整个目的,它在计算上是昂贵的,以使暴力破解变得不切实际。

但是成本因素为12太高了。你应该将其降低到10或8。

bcrypt.GenerateFromPassword(password, 10)  // 10 是默认成本

这是一个使用不同 BCrypt 成本因素的演示计时测试:

func test(cost int) {
    t1 := time.Now()
    _, _ = bcrypt.GenerateFromPassword([]byte("test pass"), cost)
    t2 := time.Now()
    fmt.Println(cost, ": ", t2.Sub(t1))
}

func main() {
    for i := 4; i < 15; i++ {
        test(i)
    }
}

输出:

4 :  2.2077ms
5 :  3.404ms
6 :  6.8319ms
7 :  14.732ms
8 :  23.4149ms
9 :  46.2739ms
10 :  98.964ms
11 :  187.7988ms
12 :  371.6627ms
13 :  754.1349ms
14 :  1.5391565s
英文:

That's the whole purpose of a key derivation function such as BCrypt is to be computationally expensive in order to make brute-forcing impractical.

But the cost factor of 12 is too high. You should reduce it to 10 or 8.

bcrypt.GenerateFromPassword(password, 10)  // 10 is the default cost

Here's a demo timing test with different BCrypt cost factors:

func test(cost int) {
	t1 := time.Now()
	_, _ = bcrypt.GenerateFromPassword([]byte(&quot;test pass&quot;), cost)
	t2 := time.Now()
	fmt.Println(cost, &quot;: &quot;, t2.Sub(t1))
}

func main() {
	for i := 4; i &lt; 15; i++ {
		test(i)
	}
}

Output:

4 :  2.2077ms
5 :  3.404ms
6 :  6.8319ms
7 :  14.732ms
8 :  23.4149ms
9 :  46.2739ms
10 :  98.964ms
11 :  187.7988ms
12 :  371.6627ms
13 :  754.1349ms
14 :  1.5391565s

答案2

得分: 7

bcrypt的目标是执行计算时间长且难以通过暴力破解破解的哈希操作。这种低性能实际上是一种特性。

英文:

The objective of bcrypt is to perform hashes that are long to compute and thus hard to break by brute force. This low performance is actually a feature.

huangapple
  • 本文由 发表于 2021年10月14日 17:01:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/69567892.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定