Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121005 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 29747 invoked from network); 7 Sep 2023 17:31:06 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 7 Sep 2023 17:31:06 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 26BD6180210 for ; Thu, 7 Sep 2023 10:31:06 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS24940 176.9.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 7 Sep 2023 10:31:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1694107865; bh=2NYQqCzXl9ti7tPzZnQm5Q40M4M436/K7aYwP9cCx/M=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=U2qu/4ZUD/xW1+3o3JdMbONHrgNsgxSxHLJ0K/mOsD1gJ3RrTLZqEkMm3dUKMhxBD J5vzim+JW9BPq0tT9p0obFD6FUHJPziil7ZtW9lqAlhhlMb7kRlIojtqPu1/4NRESA Pzh71nQwrkF0bHlzW4+AP3euTwLusQxWXcG4ZoAfddlC414MkjFPv0DHXF7UGG/bpK DNsIzNYfRpI27+xpNFuTeP1CWI1QcAR1Qxz6ucgHidoqo5T4lFqYSqZ3ZUsXuSToUe aTK4+oU2jRT7SvK3QUEXpAFbnWHi6X5BcAqAxAt5fIPY+VOpCdULwr7IqjeSJWL65d 9vjbYjUQLNvhg== Message-ID: Date: Thu, 7 Sep 2023 19:31:03 +0200 MIME-Version: 1.0 Content-Language: en-US To: Vinicius Dias , Hans Henrik Bergan Cc: PHP internals References: <86811a7b-e5c7-0d00-7726-6502e8c34479@bastelstu.be> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] PASSWORD_DEFAULT value From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=) Hi On 9/6/23 21:33, Vinicius Dias wrote: > This is very interesting. It's the first time I see recommendations > pro Bcrypt and against Argon2. Even Owasp recommends Argon2 over > Bcrypt [1]. > > I am not a cryptography expert so I believe that if there is a > discussion of which one is better PHP shouldn't change things for now, > so that totally answers the question of why the default is still > bcrypt. > There is some opportunity for change or improvement. As a result of this thread I've created an "Increasing the default BCrypt cost" RFC. I'd be happy to see you within that RFC's discussion thread [1]. Best regards Tim Düsterhus [1] https://news-web.php.net/php.internals/121004