The spring documentation doesn't say much, just that the default strength is 10. How does one determine when using increased strength might be warranted and what the trade off is?
Asked
Active
Viewed 103 times
1 Answers
5
Adding one to the parameter doubles cost for both defender and attacker. You want to maximize cost for the attacker, while keeping the cost for the defender acceptable.
Benchmark it for different choices on your target hardware. Choose the largest value which offers acceptable performance. For server applications that's typically somewhere between 10 and 100ms.
CodesInChaos
- 11,854
- 2
- 40
- 50
-
Thank you! I went ahead and ran some examples with different strength parameters. While double isn't exact, it works as a nice simple rule of thumb. – Chandler Prince Oct 13 '17 at 15:39
-
For what it's worth, Dropbox was using cost 10 in 2016, and has stated that they intend to bump it up as time goes on. – Royce Williams Oct 13 '17 at 17:13