Security checkHash Takes Long Time

Question

Security checkHash Takes Long Time

Tapan Kumar Thapa Jan '14

Created Jan '14	Last Reply Jan '14	Replies 2	Views 1012	Votes 0

Tapan Kumar Thapa 2.3k

Jan '14

Hi,

checkHash method under security class takes 25-30ms. Is it Ok?

private function _checkUser( Request $request ) {

    $username = $request->getQuery( 'username' );
    $password = $request->getQuery( 'password' );

    //Check username and password
    $user = Users::findFirst( array(
            "username='$username'",
            "cache" => array( "key" => "users-cache", "lifetime" => 20 )
        ) );
    if ( $user ) {
        if ( $this->security->checkHash( $password, $user->password ) ) {
            return true;
        }else {
            return false;
        }
    }
    else {
        return false;
    }
}

Without checkHash it takes only 4 ms.

Please suggest.

Thanks & Regards Tapan Thapa

Volodymyr Kolesnykov · Answer 1 · 2014-01-13T22:35:43-07:00

Yes. Time it takes to verify the hash greatly depends on the work factor parameter of Phalcon\Security::hash(). The work factor (aka cost) is none other than base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithm (see https://php.net/crypt). Say, if the work factor is 20, the original password is iteratively hashed 2^20 times. This is used to make brute force attacks not feasible.

Tapan Kumar Thapa · Answer 2 · 2014-01-13T22:40:14-07:00

Ok..So do you recommend using Crypt class for faster decryption of password. (https://docs.phalcon.io/en/latest/reference/crypt.html)

Volodymyr Kolesnykov · Answer 3 · 2014-01-13T22:51:15-07:00

No :-) Phalcon\Security uses crypt() internally, I just tried to explain why checkHash() takes much time.

Tapan Kumar Thapa · Answer 4 · 2014-01-13T23:15:38-07:00

Tapan Kumar Thapa
2.3k

Jan '14

Ok..Thanks...