BCrypt Settings

Aside

While working on the new web API for Owl Platform, I had some trouble finding the right parameters for bcrypt.  It’s a great library/algorithm for password encryption, but I couldn’t figure out what the right log factor was.  The default value of 10 was described in plenty of articles, but I had no idea what was right for 2013.  Here’s what I found.  On my Intel i5 M460 (2.5 GHz), it took around 440 milliseconds to hash/verify a password using a log factor of 12.   This seems entirely reasonable to me.  I hope that on better hardware it will still take at least 5-10 milliseconds, slowing down attackers.

Ben and I got into a big tirade about what was really secure and what crypto strength meant and everything, but in the end I think a log factor of 12 is sensible.  I may bump it up to 13 before we go live, if the hardware keeps the hash under 200 ms.