A fair test between bcryptjs and twin-bcrypt

[Adrian Lynch]

I'm seeing bcryptjs beat twin every time with the following code:

var bcryptJS = require('bcryptjs');

var twinBcrypt = require('twin-bcrypt');

var password = "password";

var rounds = 12;

var hash, start, end;

// twin-bcrypt

start = new Date();

hash = twinBcrypt.hashSync(password, twinBcrypt.genSalt(rounds));

end = new Date();

console.log("Took \t" + (end - start) + "ms\t to hash '" + password + "' into '" + hash + "'");

// bcryptjs

start = new Date();

hash = bcryptJS.hashSync(password, bcryptJS.genSaltSync(rounds));

end = new Date();

console.log("Took \t" + (end - start) + "ms\t to hash '" + password + "' into '" + hash + "'");

On my Mac, BJS comes in at ~950ms and twim, ~1700ms.

From the description of twin-bcrypt, I'd expect it to be quicker.

Does my test code look OK? Am I mis-using the libs?

Thanks.

Adrian

[Matt]

Two issues: 1) Why would you expect it to be faster? It's pure JS using asm.js (which Node doesn't support), vs bcrypt is compiled C code. And 2) Being slow is a feature of bcrypt - it makes brute force cracking harder.

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CAH368SSHMxGhSWepY5bOETSdkW8uY76b%3D8FFm6Tk6yt2aKWVRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[mscdex]

On Thursday, September 11, 2014 7:24:07 PM UTC-4, Matt Sergeant wrote:

Two issues: 1) Why would you expect it to be faster? It's pure JS using asm.js (which Node doesn't support), vs bcrypt is compiled C code. And 2) Being slow is a feature of bcrypt - it makes brute force cracking harder.

`bcrypt` is the one that is a compiled addon. `bcryptjs` is a pure-JS module that is API compatible with `bcrypt`.

[Adrian Lynch]

Cheers Matt,

I expected it to be faster because its speed is talked about on the GH page:

https://github.com/fpirsch/twin-bcrypt

I'm just coming into the Node world and didn't know about asm.js not being supported in V8.

I asked the author of that repo directly and he filled me in on what you mentioned:

https://github.com/fpirsch/twin-bcrypt/issues/1

Of course being slow is a good thing with BCrypt, but given two modules that do the same thing, you want to be running the fastest one, surely?

A

To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CAPJ5V2ZnpqBYb%3DgNU2pCeo1BnBiG2r5kx6sBVbb5kRZw3FSF0A%40mail.gmail.com.

[Adrian Lynch]

Thanks M,

I'll expand my tests to other BCrypt modules:

https://www.npmjs.org/package/bcrypt

If the dependancies are acceptable to us, Python 2.x and node-gyp's deps, and it's faster, then we might shift to using that.

Thanks for the heads-up!

A

--

Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/641944f4-d914-4853-8970-95f87a9c2ac2%40googlegroups.com.

[Tom Boutell]

When it comes to security, the library with the most eyeballs reviewing it for security holes (remember Heartbleed?) is probably the better choice. Speed is secondary.

That shouldn't mean that a more performant library should never ever replace a widely trusted security library, but this is not an area in which to be the early adopter and rush in (: