Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How often is the password to the mail server when Thunderbird is left open? Sorry if this is the wrong forum, but I am trying to figure out how much a strain bcrypt/scrypt put on a server that does more than just email.
Each time you "check for mail," a mail client initiates a new session with the mail server – using the password – then checks and receives the mail, then ends the session. However, there is virtually no overhead and therefore no "strain." Encryption algorithms are written to be very efficient. (For instance, your entire interaction with this web site is passing through quite a robust one!)
Encryption algorithms are written to be very efficient.
Halfpower isn't asking about encryption!
Bcrypt and scrypt are key derivation functions - they are written to be deliberately slow, and replace the misuse of fast hashing algorithms in password authentication.
I am trying to figure out how much a strain bcrypt/scrypt put on a server that does more than just email.
This suggests you don't have enough users for it to matter - otherwise why would you be running it all from a single server?
However, you can probably check server logs to see how frequently email login requests are made at peak times - once you know that, double the rate and run a script on your staging/test server to see what sort of load you might expect, and go from there.
After a user opens a session with the IMAP service, the service waits for commands from the mail client. If no commands are received, the session is considered to be idle.
[...]Many IMAP clients poll for new mail every 10 minutes, so it's best to set the value to greater than 10 minutes, because the overhead of supporting an idle session is less than the overhead required to support clients logging in and opening mailboxes.
By default, servers drop idle sessions after 30 minutes.
Thunderbird is set to check for new mail every ten minutes. However, when I leave Thunderbird open, new mail shows up almost as soon as it's received by the server. I'm guessing that a hefty bcrypt/argon2 hasher would be enough to lock up the web server for 1, maybe even a 3, seconds. I don't want to pay for an extra CPU core solely for the purpose of hashing passwords, however, web server performance and security are more important. I think I will have to dig deeper into the email server log files.
Last edited by halfpower; 11-29-2021 at 10:36 AM.
Reason: to fix English
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.