Skip to main content

Bcrypt Hashing

note

This is the default password hashing algorithm used by SuperTokens

Algorithm settings#

password_hashing_alg#

This setting chooses which password hashing algorithm to use. For using Bcrypt, set this to BCRYPT.

bcrypt_log_rounds (Default is 11)#

The number of rounds to use for hashing will be 2^bcrypt_log_rounds. The higher this value, the more time hashing will take.

Changing settings#

docker run \
-p 3567:3567 \
-e PASSWORD_HASHING_ALG=BCRYPT \
-e BCRYPT_LOG_ROUNDS=11 \
-d registry.supertokens.io/supertokens/supertokens-<db_name>
note

Changing settings will not affect older passwords. Older passwords will continue to be verified using the same settings as the ones when they were created.

Calibration to your hardware#

note
  • This is only applicable for self hosted users. For managed service users, we have already calibrated the params based on our hardware.
  • It can take several minutes for this algorithm to run.

To find the optimal setting for your hardware, you can run the hashingCalibrate command via our CLI. This command takes a few params:

  • --with_alg:
    • The value of this should be bcrypt.
    • Compulsory param
  • --with_time_per_hash_ms:
    • This is the target time per hash (in milliseconds) that we want to achieve.
    • The default value is 300
docker run registry.supertokens.io/supertokens/supertokens-<db_name> supertokens hashingCalibrate --with_alg=bcrypt

The above will produce an output like:

====Input Settings====
-> Target time per hash (--with_time_per_hash_ms): 300 MS


====Running algorithm====

Current log rounds: 11
..........Took 158 MS per hash

Incrementing log rounds and trying again...

Current log rounds: 12
..........Took 310 MS per hash

====Final values====
Average time per hash is: 310 MS

bcrypt_log_rounds: 12

====================
You should use this as a docker env variable or put this in the config.yaml file in the SuperTokens installation directory.

The contents of the ====Final values==== gives you the values of the parameters to provide to the core.

The algorithm starts with the minimum recommended value (11), and increments it until the average time per hash is greater than the target time. The final value is then equal to the value that yiels the closest time per hash as the target one.