Apologies if the answer is obvious, I'm just a little curious and couldn't nail down an answer elsewhere.
I'm used to seeing authentication servers use simple SHA-1 or SHA-256 to validate credentials, but best-practise these days is normally to use bcrypt for credential hashing.
The problem is that bcrypt is designed to use significant amounts of CPU and/or memory to limit the efficacy of brute-forcing algorithms. Easy for a single logon, but when hundreds or thousands of logons are involved, do server admins just throw extreme amounts of hardware at the problem, or do they tweak the bcrypt parameters to ensure a reasonable logon time for users?
You
can'tshouldn't be tweaking the bcrypt parameters too low. The parameters should be set so that it takes at least ~250 ms to verify a password.That means you will be consuming 100% of a CPU core for 250 ms each login.
So:
Fortunately once someone logs in, you will hand them back an authentication cookie. If you do it right, and the authentication cookie doesn't expire for 50+ years, you'll never have to verify their password again.