I have used bcrypt package with GO gin, the weird thing is when I Bcrypt any password it takes like 500ms to 900ms in response

the code:

package main

import (
    "github.com/gin-gonic/gin"
    "golang.org/x/crypto/bcrypt"
)

type User struct {
    ID       uint
    Name     string
    Email    string
    Password []byte
}

func (user *User) HashPassword(password []byte) {
    hashedPassword, _ := bcrypt.GenerateFromPassword(password, 12)
    user.Password = hashedPassword
}

func main() {
    r := gin.Default()

    r.GET("/user", func(c *gin.Context) {

        user := User{
            Name:     "test",
            Email:    "[email protected]",
            Password: []byte("password"),
        }

        user.HashPassword(user.Password)

        c.JSON(200, gin.H{
            "message": "done",
        })
    })

    r.Run(":5050")
}

I benchmark from Postman status: 200 OK Time: 800ms

Why this pkg take this time!?

CodePudding user response：

That's the whole purpose of a key derivation function such as BCrypt is to be computationally expensive in order to make brute-forcing impractical.

But the cost factor of 12 is too high. You should reduce it to 10 or 8.

bcrypt.GenerateFromPassword(password, 10)  // 10 is the default cost

Here's a demo timing test with different BCrypt cost factors:

func test(cost int) {
    t1 := time.Now()
    _, _ = bcrypt.GenerateFromPassword([]byte("test pass"), cost)
    t2 := time.Now()
    fmt.Println(cost, ": ", t2.Sub(t1))
}

func main() {
    for i := 4; i < 15; i   {
        test(i)
    }
}

Output:

4 :  2.2077ms
5 :  3.404ms
6 :  6.8319ms
7 :  14.732ms
8 :  23.4149ms
9 :  46.2739ms
10 :  98.964ms
11 :  187.7988ms
12 :  371.6627ms
13 :  754.1349ms
14 :  1.5391565s

CodePudding user response：

The objective of bcrypt is to perform hashes that are long to compute and thus hard to break by brute force. This low performance is actually a feature.