Unable to Understand bcrypt.genSalt in bcrypt npm package

Question

Hi I recently used bcrypt.genSalt of bcrypt npm package in my project. The basic idea for using bcrypt.genSalt was generate Salt for my password which need to encrypted.The Syntax for using bcrypt.genSalt is as follows

bcrypt.genSalt(rounds, cb)

rounds - [OPTIONAL] - the cost of processing the data. (default - 10)

cb - [REQUIRED] - a callback to be fired once the salt has been generated. uses eio making it asynchronous. err - First parameter to the callback detailing any errors. salt - Second parameter to the callback providing the generated salt.

Out of curiosity I changed the rounds parameter from 10 to 1024 in bcrypt.genSalt(rounds, cb) and found out that my API was unable to execute the bcrypt.genSalt(rounds, cb).I had to abort my Post Operation in DHC.

Can somebody explain the importance of rounds in bcrypt.genSalt(rounds, cb)? Also what will happen If I manipulate the rounds to a lesser value to 10 or more than 10?

Answer 1

The rounds param in bcrypt is logarithmic. The actual number of repeated hashing loops done within bcrypt is Math.pow(2,rounds)

So Math.pow(2,1024) is a very large number and your processing will not finish in millions of years!

You should test and pick a number - probably between 10 and 20 - that takes a fraction of a second, perhaps 200ms. Technically for best security you should use a number as high as you can without affecting user experience, because it is the time it takes to do one complete hash which is what makes bcrypt an effective protection against brute-forcing passwords from your hashed storage.

Selecting a value below 10 does no harm to your user experience, but someone attacking the password table would have an advantage and might be able to scan for more common passwords in a given time.

I found using a value of 1 quite useful when running unit tests - it made creating test user data and test user logins much faster, so you can run more unit tests in shorter time.