1
One of my biggest concerns when I’m developing an application has always been the performance it would have, especially on shared servers, which most of my clients focus on. Micro-optimizations are always welcome in my systems, because I follow the old philosophy of the saying: from grain to grain, the chicken fills the conversation.
However, I started to focus recently on the security of systems, in which I felt a certain lack of attention in such an important factor.
I’ve always used sha1 and md5 to do Torage in the database, but recently I saw a subject that said this technique is no longer recommended, because there is possibility of duplication and because it is very easy to "break" both, by brute force.
I knew then the function password_hash php, which would be the "new" way to store this information in the BD.
However, in my tests, I saw that this function is not very friendly to the performance.
In the above image, the red indicator refers to the script using: sha1(md5($senha)), and the blue indicator using password_hash($senha, PASSWORD_DEFAULT, ['cost' => 12]).
Remarkable performance drop, reaching almost 80%.
I know that security is essential, but: To what extent it should interfere with performance - consequently user experience, which may have a slower server?
How to put both on the scale to maintain balance?
As it is a personal opinion I will put here as a comment. I believe that to the point where the user does not have to wait several seconds for a response from the page, I see no problem in "harming" the performance for a gain in security. You as "Tester" can have this feeling, if you are bothering yourself waiting for the test result, it may be that you have exceeded the limit...
– KaduAmaral
@Kaduamaral It may be that there is a "prejudice" instituted in me, by always applying micro-optimizations and seeing values as percentages and not as real results. Reflecting on your comment, I realized that, in fact, a 300ms increase in processing, in only 2 acts (login and account creation) can be a cheap price to pay, compared to the security provided in return.
– Daniel Bonifácio
Yes Daniel, I have read an article about these micro-optimizations as well, and the author’s conclusion was that "unless you are creating a site like Google that receives millions of requests per minute, it is not worth the time spent on these optimizations, for the gain they offer."
– KaduAmaral