CigTrack Day #6: Security and bcrypt

I’m a fan of improvisation, Duct-tape and hacking things into what you want them to do speedily and without a lot of testing. One of the areas, where I wouldn’t follow this approach is security.

Security is something many companies don’t take serious. Their servers get broken into, all their user’s data are stolen, leaked, etc. Not cool.

This is not because security is impossible, it’s because it’s just often ignored and can be expensive. Nothing is unbreakable, but in my opinion it’s worth to at least make an effort towards: hard to break.

Using bcrypt

There’s a very popular article by Code Hale from the beginning in 2010 that compares bcrypt to md5 and sha1 and makes some pretty good points about using strong algorithms instead of nowadays weak ones.

The first thing I noticed when I implemented it into two of my API functions is that it surely is expensive. On my laptop that has a 1.8GH Intel Dual Core processor, that still is faster than what most VPS per instance are equipped with, running bcrypt through node.js leads to response time around 300ms for requests, maybe add ~20ms until it reaches the client.

Below I’ve logged some of the requests to change a users password, which calls two expensive functions. First it compares the current password to the one in the database with, then, if correct, hashes the new password with bcrypt.hash.

Some Numbers:

8 requests,
median response time (express.js output): 288,25 ms

POST /user/changePassword 200 324ms - 34b true
POST /user/changePassword 200 284ms - 34b true
POST /user/changePassword 200 276ms - 34b true
POST /user/changePassword 200 278ms - 34b true
POST /user/changePassword 200 282ms - 34b true
POST /user/changePassword 200 282ms - 34b true
POST /user/changePassword 200 291ms - 34b true
POST /user/changePassword 200 289ms - 34b

Now this is really, really expensive in CPU time compared to using algorithms like a random salt generator paired with md5 or sha1.


Bcrypt isn’t the silver bullet, of course your server also needs to be secured sufficiently and much more. Bcrypt can be viewed as the last line of defense, if everything else fails and an attacker has breached all previous security.

It’s an easy start though, in terms of: Just use this function instead of another. I’m going to write more about linux server security if you’re interested 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *