In the web application I use 10,000+ iterations for hashing passwords stored in database (random salt and all). Password-related operations are not frequent enough to create a noticeable performance hit. Signing authentication tokens is a different story. This happens on every token renewal which may happen on every request but in practice is configured to happen at least every X seconds. I cannot find any recommendation as to the number of iterations for generating HMAC for encrypted payload such as the token. What are the risks of using a very low number, let's say 10? I use 24 byte salts.
Asked
Active
Viewed 34 times
1
-
1iterative hashing is for weak entropy, if your tokens are random and large enough, then 1 iteration is fine – Richie Frame Jun 26 '15 at 19:10
-
Actually, on second thought I'm not sure that's a good duplicate for the question, though the answer covers this well. If people do think it's a duplicate, this question should definitely not be deleted, but remain to point to it. – otus Jun 27 '15 at 07:12
-
1@otus I think that the consensus now is that the question can be closed, not deleted if an answer on another question covers the question put forward. That's more of a meta discussion though. – Maarten Bodewes Jun 27 '15 at 10:18