hash_pbkdf2 is too slow #359
Comments
|
Giving users full control over the iteration count is a little too risky -- this library is designed around the philosophy of "no options, just always do the secure thing." Something safer would be to have "weak" (fast) and "strong" (slow) options, but I want to avoid introducing an option if possible. What's your use case where 180ms is unacceptable? If you're decrypting a lot of ciphertexts with the same password, it could make more sense to use a KeyProtectedByPassword, so that you only need to run PBKDF2 once to decrypt the key, and then do fast encryption/decryption with that key. |
|
I was using it to create self contained token until I migrated it to JWT, which makes more sense for api tokens. But in any case, if i would need to encrypt/decrypt something in each request 180ms would be pretty unacceptable. (I didn't know KeyProtectedByPassword usage, though.) |
|
That's a good use case. Yeah, I don't think there's a need to use passwords at all there, you could just save a |
|
Thanks for explanations. I ll keep it in mind for other areas i use |
Hi,
php hash_pbkdf2 is slower when the number of iterations are bigger, which in some cases not neccessary.
const PBKDF2_ITERATIONS = 100000;makes it around 180ms in my case and it is too slow, at least for my case. 10000 makes it around 20-30ms.It would be better, if we could change the iteration count programmatically for performance reasons in different scenarios.
The text was updated successfully, but these errors were encountered: