• The environment starts using a large amount of CPU and also memory.
• Reviewing thread dumps taking during that time, there are many threads associated to PBKDF2PasswordEncryptor.encrypt, such as:

  "https-jsse-nio-8443-exec-5" #115 daemon prio=5 os_prio=0 cpu=274186.74ms elapsed=911.21s tid=0x00007fdc336f0800 nid=0xbca3c runnable [0x00007fdacebda000]
  java.lang.Thread.State: RUNNABLE
    at java.security.MessageDigest$Delegate.engineUpdate(java.base@11.0.24/MessageDigest.java:623)
    at java.security.MessageDigest.update(java.base@11.0.24/MessageDigest.java:355)
    at com.sun.crypto.provider.HmacCore.engineDoFinal(java.base@11.0.24/HmacCore.java:223)
    at javax.crypto.Mac.doFinal(java.base@11.0.24/Mac.java:581)
    at javax.crypto.Mac.doFinal(java.base@11.0.24/Mac.java:624)
    at com.sun.crypto.provider.PBKDF2KeyImpl.deriveKey(java.base@11.0.24/PBKDF2KeyImpl.java:201)
    at com.sun.crypto.provider.PBKDF2KeyImpl.<init>(java.base@11.0.24/PBKDF2KeyImpl.java:117)
    at com.sun.crypto.provider.PBKDF2Core.engineGenerateSecret(java.base@11.0.24/PBKDF2Core.java:69)
    at javax.crypto.SecretKeyFactory.generateSecret(java.base@11.0.24/SecretKeyFactory.java:344)
    at com.liferay.portal.security.password.encryptor.internal.PBKDF2PasswordEncryptor.encrypt(PBKDF2PasswordEncryptor.java:84)
    at com.liferay.portal.security.password.encryptor.internal.CompositePasswordEncryptor.encrypt(CompositePasswordEncryptor.java:90)
    at com.liferay.portal.security.password.encryptor.internal.BasePasswordEncryptor.encrypt(BasePasswordEncryptor.java:44)

• Reviewing heap dumps taken during that time, there are many array objects of hundreds of MB in size associated to the same stacktraces.

• Liferay DXP 7.4
• Liferay Quarterly Release

• This issue can occur if there are users trying to login whose password algorithm is a legacy one but the portal property passwords.encryption.algorithm.legacy is not informed.
• The portal property passwords.encryption.algorithm defines the current password encryption algorithm and has the default value passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/1300000, although some other options are available. 
• Nevertheless, some users might still have their password encrypted with one of the legacy encryption algorithms, indicated via the portal property passwords.encryption.algorithm.legacy, whose default value is SHA. 
• If the property passwords.encryption.algorithm.legacy is not informed, the current password algorithm will be used instead, producing the issue.
• To ensure that old users using legacy encryption algorithms can login correctly and to avoid CPU and memory overuse, add the property passwords.encryption.algorithm.legacy to the file portal-ext.properties with the correct value (most likely, SHA).
• Consider also defining a Password Policy that requires users to change their password regularly since changed passwords will be encrypted with the new algorithm. 
  • Note: this bug prevented the new algorithm from being used before 7.4 u54.

Additional Information

• This blog post explains Liferay's hashing algorithms and how their performance affects logins: Hashing Performance
  • A test is performed with BouncyCastle, which has been included since 2024.Q3.
• Change of Password Encryption Algorithm
• Too Many CPU Intensive Tasks: A Common Performance Issue in DXP 7.0 > Password Hashing