Skip to main content
V
vertizonal
Participating Frequently
July 31, 2017
Question

Password salt / hash performance on similar hardware

  • July 31, 2017
  • 2 replies
  • 1507 views

I am using the following code as a test:

<cfset PlainTextPassword = "Testing123^^%%@@!">

<cfset tickBegin = GetTickCount()>

<cfset salt = Hash(GenerateSecretKey("AES"), "SHA-512")>

<cfset hashedPassword = Hash(Trim(PlainTextPassword) & salt, "SHA-512", "utf-8", 57500)>

<cfset tickEnd = GetTickCount()>

This runs in ~50-70 milliseconds on our test servers, but takes around 5 seconds on our live production server, which has similar to better specs:

Server

OS

Processor

RAM

Applications

ColdFusion settings

Load

test

64-bit (same)

Xeon X5670 (2 cores)

4GB

ColdFusion (same), MySQL

Set to use up to 1GB RAM

~0-5 concurrent users

live

64-bit (same)

Xeon X5670 (4 cores)

6GB

ColdFusion (same)

Set to use up to 2GB RAM

~50+ concurrent users

Any idea on why the difference is so drastic?

Thanks in advance.

    This topic has been closed for replies.

    2 replies

    V
    vertizonalAuthor
    Participating Frequently
    August 2, 2017

    Charlie Arehart was in the middle of helping me troubleshoot this, and the problem magically went away while we in the middle of looking at log files (it was a persistent problem for almost a week prior to this). It now runs a bit faster (~40-50 ms) than our test servers, which is what I expected at the start.

    We hadn't made any changes to anything. I'm wracking my brain trying to figure out what could have changed - our IT department confirmed that they didn't change anything related to the VM or network.

    Charlie suggested that I look into at least getting a demo of Fusion Reactor if the problem re-appears, which we will do.

    H
    haxtbh
    Inspiring
    July 31, 2017

    What version of Coldfusion? What hot fix of that version?

    Which version of JVM are you running with Coldfusion

    I assume the time you say is from the getTickCount() calculation?

    What happens if you change the iterations argument?

    V
    vertizonalAuthor
    Participating Frequently
    July 31, 2017

    Thanks for the reply.

    The ColdFusion (w/ hotfixes) and JVM versions are the exact same on both servers.

    Yes, the time is the result of the getTickCount()'s.

    If I knock it down to 10k iterations, it still takes ~800 ms on the production server. We can do this as a last resort, but to me, the vast difference points to a symptom of a mis-configuration or other problem that I should address. Our production server performs very well under it's current load, though I suspect a higher load may expose some issues.

    H
    haxtbh
    Inspiring
    August 1, 2017

    What are the actual version numbers of Coldfusion and JVM.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices