0

I am trying to make the login page faster by using low ram

$hash = sodium_crypto_pwhash_str($password.$MAC, 1, 10240);

My question is that I dont like login page taking too long to process like one second and if I make it faster by using minimum parameters does it make it insecure? I am using a very long MAC to make it harder to brute force but extremely fast.

Average time 0.0001368522644043 ms

Saud Iqbal
  • 101
  • 3
  • Not a correct title! It should be like How secure is Argon2ID with parameters.... What is long MAC? – kelalaka Jan 04 '20 at 23:09
  • Usual advice, keep it around 1 sec for a single user. This will make it harder to bruteforce. – kelalaka Jan 04 '20 at 23:21
  • @kelalaka random characters longer than 64 in length. – Saud Iqbal Jan 04 '20 at 23:38
  • What kind of characters would that be? If you have 64 fully random hex characters (choice of 16 per character) then you'd have 256 bits of randomness, and you might as well use 1 iteration. – Maarten Bodewes Jan 05 '20 at 00:52
  • 1
    @kelalaka: Around 1 sec - yes. But we should consider the whole system: The number of password checks per second per application instance (per server node, per server container or like this). If there are 1000 password checks per application instance per second, it means each password check should take not longer than 0.001 sec. I simplified it, but you get the idea. – mentallurg Jan 05 '20 at 17:56

0 Answers0