Password List Performance Testing

We’re asked every now and again about potential performance impacts with regard to the size of Password Lists.  While every organisation is different there are some general considerations that should be thought about when designing your Password Lists within Passwordstate.  These include,

  • Logically separate your password credentials based on meaningful descriptors such division, team, function, role etc.
  • Use Folders to group like Password Lists
  • Try to apply consistent permissions within a navigation tree’s nested folders
  • Keep the Password List display grid to 50 records or less

Despite using these points when designing your Password Lists you may still end up being tempted to create a few big lists.  But how big is too big?

Sample Server Specification

We recently performed some performance testing for a customer who was looking at potentially creating some really big Password Lists.  For the sake of consistency during the performance testing we spun up a modest Hyper V Windows Server 2019, using 2 processors and 8 GB of RAM in our Technical Support Test Lab,

Password List Sizing’s Used

Whilst many organizations end up with Password Lists that are organized in quite a granular fashion (using the considerations at the top of this blog entry) we’ve positioned the samples on the generous side of things when performing the testing. 

The performance issue you encounter with extremely large Password Lists is directly related to HTML rendering.  We generated 5 Password Lists, containing 5,000, 7,500, 10,000, 25,000 and 50,000 password credentials by first creating the Password Lists in the Passwordstate UI and then using our API to add in the required number of passwords for each particular List.  The Lists didn’t need to contain usable login entries as such, they just needed to contain correctly formatted password records.

Performance Results

The baseline performance testing results are tabulated below.  The good news is that Password Lists will take a fair number of password records before being substantially impacted by HTML rendering,

Password List NameNumber of RecordsRendering Time
5000 Passwords5,000Less than 1 second
7500 Passwords7,5001.5 seconds
10000 Passwords10,0002 seconds
25000 Passwords25,0004 seconds
50000 Passwords50,0008 seconds

Based on the results above most organizations could scale-up individual Password Lists to accommodate between 5,000 to 7,500 password records if required and still have response times for rendering between 1 to 1.5 seconds.  Having said this, we can’t really think why you would need to have this volume of password records in a single list if you’ve designed your Passwordstate implementation and Password Lists appropriately.

Impact on IIS Worker Process

Another point worth noting, is the impact on your IIS Worker Process.  During the performance benchmarking we observed the larger Password Lists had a significant impact on the resources required for the IIS Worker Process.  Running the test on the 25,000 password records list caused the CPU usage to spike to 51% and the 50,000 password records list to spike at 55% CPU usage.

We hope this information is helpful and we welcome feedback via