2

I built a php hashing system and I'm confused with the speed performance of script. I made a benchmark of the script for different amount of requests (the speed is only for the script nothing else involved).

10 requests: 0.001 sec

100 requests: 0.011 sec

1000 requests: 0.073 sec

10000 requests: 0.667 sec

100000 requests: 6.776 sec

After 1 million the server returns blank screen

My confusion:

if 1000 users try to login at the same time will it take 0.00001 sec for each user's password input to be hashed and checked against their original or 0.073sec for each user?

benM this is the script for benchmark:

function test() 
{
  global $result;
  ob_start();
  $x = microtime(true);

  while($i < 10000) 
  {
      print // here you add whatever you want to test;
      ++$i;
  }

  $temp = microtime(true) - $x;
  ob_end_clean();
  return $temp;
}
echo number_format(test(), 3);
Improve this question
9
  • 3
    How have you benchmarked this? If it was in a single request to the server, you don't need to worry. The 0.00001 second is correct for single requests. Each login is essentially a separate connection and thus request. The server should manage that as if it were a single request (difficult to explain, but hopefully that makes sense). Commented Jan 17, 2013 at 12:42
  • 2
    Servers today are multi-threaded. Machines today have multiple cores. This goes well together. You're worrying about such things far too soon. Premature optimization is the root of all evil. Commented Jan 17, 2013 at 12:44
  • Re the million returning blank -- is it triggering the PHP timeout? You can set the timeout value in php.ini/htaccess or within the program. Commented Jan 17, 2013 at 12:45
  • Re "I have built a hashing system": What algorithm are you using? Also, if it's for password hashing, be aware that fast is not considered good for password hashing algorithms. The faster they are, the quicker they are to hack. Also, if this is for passwords, may I humbly suggest using a decent secure library like this one rather than rolling your own. Commented Jan 17, 2013 at 12:47
  • 1
    @alex_petrea - fair enough. bcrypt is the best algorithm to be using, so you're on the right track if you're using that. (it's the one used by the library I suggested, and any other decent libraries you'll find) Commented Jan 17, 2013 at 12:59

1 Answer 1

Reset to default
0

The benchmarking script that you have used is not ideal, since it tests them in a single request. You don't have to worry about this, since IRL, no user is going to be logging in 1,000 times in a single request!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.