Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:104954 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 31210 invoked from network); 26 Mar 2019 06:15:15 -0000 Received: from unknown (HELO mail-vk1-f196.google.com) (209.85.221.196) by pb1.pair.com with SMTP; 26 Mar 2019 06:15:15 -0000 Received: by mail-vk1-f196.google.com with SMTP id d15so2480705vka.8 for ; Mon, 25 Mar 2019 20:08:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=6VsLLRGCAiibdsXrMqH6kMmeq+CvGlKTjmFY6H/nAxM=; b=p4ECUw5M/O0+tiIgmvd8WlCRgQr72DSFlNKy23wigvl/Q75IzFrz+Me0iOknL++aKY /4a2iJd+qTi8IcuSGyPkDxq/MsJK0IUzn+RlrG21IuymFxrfLgIVpfrW8frzHuU1OFcj oP2kKMNCbKDN/FbAXLTYW9Mxd1bok2ai++ziFeSQNaaSZt8LeoyshEYnVIRb8Mkftgq9 qmD8Rrzsd0i/0eJfIqSHZwoyGlHUS7LXjvLlSswlDCTUA54kHJayn+TTH0MqgpeZtQJO SNi/t7pJVGRm4oB7yroUEhoy+lpQyiugLR2Yv37vEldILG1Kg1HjFamlHGrgwdHEk5SD S7Yg== X-Gm-Message-State: APjAAAUscqH9cEjLiD8OisPA4dS6fS8eiXSWZTKZMTg9leP7KhVw+foi MkoYxVGzeenf5oCraPiIOzaXkZqk/rCa+7gFOPQ= X-Google-Smtp-Source: APXvYqww4gHmdG9HXsEpHM4EKksj77KIK0ZcttGPZDNWJfd3CxfrU1HtASJxqnQRBnf2NLoeyS3XZpwguPx0XpWaXRU= X-Received: by 2002:a1f:8546:: with SMTP id h67mr16845782vkd.30.1553569712417; Mon, 25 Mar 2019 20:08:32 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Reply-To: bishop@php.net Date: Mon, 25 Mar 2019 23:08:06 -0400 Message-ID: To: Sara Golemon Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000d7aec80584f6a2cc" Subject: Re: [PHP-DEV] Argon2 default time cost From: bishop@php.net (Bishop Bettini) --000000000000d7aec80584f6a2cc Content-Type: text/plain; charset="UTF-8" On Mon, Mar 25, 2019 at 10:18 PM Sara Golemon wrote: > ...snip... > So that's a long winded way of asking, does anyone see an issue with upping > the default time cost for argon2 to a higher number? (e.g. "3") > ...snip... > The only negative impact is that password hashing becomes a slightly more > expensive task. Where "slightly" means 3ms instead of 2ms on my Linux VM > running on my 2 core Mac laptop. > Thanks for tackling this work, Sara. As has been said, "whatever cost people choose should be reevaluated from time to time." [1] Now's as good a time as any. I have no objection. bishop [1]: https://www.usenix.org/legacy/publications/library/proceedings/usenix99/provos/provos_html/node6.html --000000000000d7aec80584f6a2cc--