In the web application I use 10,000+ iterations for hashing passwords stored in database (random salt and all). Password-related operations are not frequent enough to create a noticeable performance hit. Signing authentication tokens is a different story. This happens on every token renewal which may happen on every request but in practice is configured to happen at least every X seconds. I cannot find any recommendation as to the number of iterations for generating HMAC for encrypted payload such as the token. What are the risks of using a very low number, let's say 10? I use 24 byte salts.
Asked
Active
Viewed 34 times
