Bcrypt performance


We are planning to migrate our oauth services to hydra and currently testing the response time of hydra in kubernetes.
We have 4 hydra pods (2cpu each) and when running the load test (client_credentials flow, 10 concurrent users, 100 request), we see the bcrypt performance changing between 61ms to 380ms.
bcrypt work factor is set as 8.

Is it common to vary the bcrypt performance like this ?
What should be the size of CPU to keep the bcrypt performance below 100ms ?


Yes, BCrypt is pretty slow. We will probably roll out a new, faster hashing algorithm (e.g. SHA-based). In scenarios where client secrets are auto-generated by the system and not set by the user, the secret should not be considered a user password / PII which makes the tradeoff between security and performance ok.