Bug #16720
closed
GUI performance degradation due to check for weak passwords on each page load
100%
Description
Several expensive password hashing operations are performed on every page load, resulting in a noticeable degradation in WebGUI performance. The impact is most severe on low-end hardware such as the Netgate 1100 and 2100. This slowdown has become progressively worse as pfSense has adopted stronger hashing algorithms over the years.
The overhead of these redundant checks is now significant. On every page load the system verifies that the logged-in user’s password is neither equal to their username nor to the factory default password (“pfsense”). Both checks require hashing the username and “pfsense” strings and comparing them against the stored password hash. When a non-admin user with sufficient privileges to change the admin account password, the same checks are also performed against the admin account.
Updated by Christian McDonald about 1 month ago
- Status changed from In Progress to Waiting on Merge
Updated by Christian McDonald 29 days ago
- Status changed from Waiting on Merge to Feedback
Updated by Christian McDonald 29 days ago
- % Done changed from 0 to 100
Applied in changeset commit:661c57ce79c7009ea5230d5a8436a2ee4422fe76.
Updated by Jim Pingle 29 days ago
Will need re-tested once it's in a snapshot but the initial results testing the patch are very promising on an 1100:
Load times for the same page:
- Without patch, old hash: ~1200ms
- Without patch, new hash: ~4000ms
- With patch, old hash: 400ms
- With patch, new hash: 400ms
Updated by → luckman212 29 days ago
I looked at the patch, it's good but still had a noticable delay after $insecure_user gets set. I dug into it and noticed that authgui.inc was still triggering a call to check_current_password() on every pageload, even after the $insecure_user was confirmed false.
Still better than before, but when I added the additional patch below, speed improved noticably again:
--- /etc/inc/authgui.inc 2026-02-26 15:55:49.060685000 -0500
+++ /etc/inc/authgui.new.inc 2026-02-26 15:56:32.283490000 -0500
@@ -103,7 +103,8 @@
* Check if the user has an insecure password and if so, redirect them to the
* password change page.
*/
-if (!str_contains($_SERVER['REQUEST_URI'], 'system_usermanager_passwordmg.php') &&
+if (!isset($_SESSION['insecure_user']) &&
+ !str_contains($_SERVER['REQUEST_URI'], 'system_usermanager_passwordmg.php') &&
!str_contains($_SERVER['REQUEST_URI'], 'system_usermanager.php') &&
!str_contains($_SERVER['REQUEST_URI'], 'wizard.php?xml=setup_wizard.xml') &&
($_SESSION['authsource'] == 'Local Database') &&
I tested for a while on my 6100 running 26.03.b.20260219.2016 - login/logout, setting password to `pfsense` or `admin/admin` and everything worked as expected.
Updated by Christian McDonald 29 days ago
yep, that block of code is Plus-specific, and we have that place patched too :)
Updated by → luckman212 29 days ago
Ok, looks good then. I couldn't see it from the diff Christian McDonald 👍
Updated by Jim Pingle 28 days ago
- Subject changed from WebGUI performance degradation caused by redundant password hashing to GUI performance degradation due to check for weak passwords on each page load
- Status changed from Feedback to Resolved
Looks good on snapshots as well. GUI feels a lot faster overall.