I understand that it's best practice to use a slow hash function such as bcrypt, scrypt or argon2 when storing passwords in a database. Most of the documentation I've read regarding choosing parameters, such as time and memory cost, suggest setting values as high as you can to frustrate password cracking attempts should an attacker gain access to your database. My question is what sort of resource consumption is acceptable when authenticating users in a web application? I understand that the answer to this question will vary based on factors such as the specs of the server performing the authentication, the frequency at which authentication occurs etc but I'd like to get some general suggestions as to what would sensible and what wouldn't. Is taking one second for password authentication too long? If my server has 8GB of memory, is using 1GB for the hash memory cost too high? I expect that the application in question will only perform password authentication occasionally as it uses token-based authentication for the majority of requests.
Is taking one second for password authentication too long?
Not if your users will tolerate it, but I think a few hundred milliseconds should be sufficient. See this excellent answer to a more specific question.
If my server has 8GB of memory, is using 1GB for the hash memory cost too high?
I wouldn't expect your password hashing strategy to require nearly that much memory. Hashing is generally a CPU/compute-bound task.