Hashing algorithms

Mendix recommends the developer a choice of two different hashing algorithms, namely:

  1. BCrypt
  2. SSHA256

This article will not discuss the merits of each algorithm on the security spectrum. It is suffice to say we feel both algorithms are secure enough to store passwords within Mendix. The main difference is that the BCrypt algorithm has been configured such that it is relatively slow on purpose, since it was designed specifically to stop brute force attacks. However this results in some performance difference with the SSHA256 algorithm.

This performance difference is hardly going to be noticeable to a single user when logging in (the password you enter when logging in is hashed using the selected algorithm) so in general performance alone is not a great reason to chose SSHA256 over BCrypt. This situation can change however when dealing with high concurrency of hashing operations. A common example of an area where this occurs are published web services exposing operations that compute quickly (i.e. short-running microflows).

A (web service) user will login to execute a web service operation, wait for the operation to finish and finally get the result back (if any).

Imagine an empty microflow that returns nothing at all exposed as a published web service. We ask one user to execute this operation as many times as he can in one minute (simulated with SoapUI). First we set the hashing algorithm to BCrypt, then we set it to SSHA256. Any extra overhead here (on top of establishing the connection, building the XML message and so forth) is basically the hashing algorithm as the operation should take near zero milliseconds and there is no result. So that leaves only the login (or, more precisely, the hashing of the password).

Hashing algorithm

Total operations executed

Operation per second

Overhead in milliseconds

BCrypt

654

10.88

91.9

SSHA256

7163

119.36

8.4

 

So 80 milliseconds per operation is not that much, right? Well, it depends. How long does the operation itself take?

Operation duration in seconds

Operations per hour (BCrypt)

Operations per hour (SSHA256)

Difference %

0.1

18760

33210

+77%

0.25

10529

13932

+32%

1

3297

3570

+8%

5

707

719

+1.67%

15

239

240

+0.5%

 

As we can see the difference is noticeable the shorter each operation takes. So if you expect a very high amount of concurrency in operations where hashing takes place (most commonly any place login operations are involved), you might want to consider changing the hashing algorithm your application uses.

One final, but very important note to remember when changing hashing algorithms however is that any hashed attribute (like the System$User password attribute) has its algorithm set on hashing. In other words, for the hashing type to take effect any already existing hashed attribute will have to be reset using the new hashing type.

Have more questions? Submit a request

0 Comments

Article is closed for comments.