Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121010 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 53427 invoked from network); 8 Sep 2023 08:14:30 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 8 Sep 2023 08:14:30 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A19251804BE for ; Fri, 8 Sep 2023 01:14:29 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-oo1-f41.google.com (mail-oo1-f41.google.com [209.85.161.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 8 Sep 2023 01:14:29 -0700 (PDT) Received: by mail-oo1-f41.google.com with SMTP id 006d021491bc7-575f45e255dso1084284eaf.2 for ; Fri, 08 Sep 2023 01:14:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694160868; x=1694765668; darn=lists.php.net; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=pO5+wTaXSknm5r/s+R2O0klihs5EXh5s79Tmvf9ZplI=; b=LLBlrv66Wi0g4cGc2a2tLDXLv99bh1kdbDZUFjZ5u+8FrOnhV5MGS2lULV/qcyH3I6 7IPMjJEtkm0HLP12+fx/6he9tCmpLaB0MZfeEDKIxevxgQdnu1cS9LalxSxDd7JziW4e dWDgTlkmebblb0DhMQG2TRmbjGalaotVpCbj74EJ4pslzU87QOAes0vmyxjmn9hEJb/3 u/HyqDcB3Q+Uw4SxEmuGgRKs24XxDaPwiiRw7papJxm2bt5w3UQQiDzvcTeTRGagXmXB YPRzx1O7zT/e8BOpfJepxw9m+07UDThcgpGKarU31V4S78oevNhYdagEhLeV5K0xPkrn TBRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694160868; x=1694765668; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pO5+wTaXSknm5r/s+R2O0klihs5EXh5s79Tmvf9ZplI=; b=QYd0lAk+s2z/vILyBsGpIyfjAc6Kz+UEm0gBXCxsR3aSz6Nx/atm1VwL0GO1gLPscx 6wYdq1fZxzl90kGlr4UFJ7hVTJGCyM7eWuVhkNw48ozAZYE7fZa1EYK9owqPrHckL9QE xB/KVK785GeKQ2YF0+VflXg8kFd5ofBiveepNOQ20iys181vk2iBwRPLPkT3+hTkoVj5 OZP37CrsCC5RVeUAMfYN3KfOlMWD+CMAvFulTkIzc07Pag9PbThuQnITo9nduvQWL/8B NI3Mffy/yeEj5UMZ7GJjTOQQ1n9MoAxW2p/2UN1afIHqki2dRCA+sdXPsEvJzLNm9v7l 9FRw== X-Gm-Message-State: AOJu0YyJICgtAJ6eqhy1+Vs8M3pcVwaE2znT/tYlbF1NfFOn3HTxjq4t u81YOlazCyiYhKvLrjCyHfn09FqTNX29Wq5/Y7M= X-Google-Smtp-Source: AGHT+IHncnhhtgevnhsGDpbf+CcA1Er0P6vC6Lzy7S/0CBuMurAq952m9sXPlBZoK+m6JX+9juZ5BxI5r7iHzAZLDQA= X-Received: by 2002:a4a:2201:0:b0:573:2312:b3 with SMTP id f1-20020a4a2201000000b00573231200b3mr1515964ooa.4.1694160868269; Fri, 08 Sep 2023 01:14:28 -0700 (PDT) MIME-Version: 1.0 References: <6D9D6C50-EF11-48B6-AA3E-311A34EE8B41@craigfrancis.co.uk> In-Reply-To: <6D9D6C50-EF11-48B6-AA3E-311A34EE8B41@craigfrancis.co.uk> Date: Fri, 8 Sep 2023 10:13:51 +0200 Message-ID: To: Craig Francis Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , PHP internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Increasing the default BCrypt cost From: divinity76@gmail.com (Hans Henrik Bergan) @Craig warning, it's very random what kind of CPU performance you get on your t2 instances, the CPUs vary greatly from modern to many years old. I know of Fortune 500 companies that have automated systems to spin up t2 instances until they randomly get "a good one", then discard the others, because the cpu performance vary so widely On Thu, 7 Sept 2023 at 23:38, Craig Francis wrot= e: > > On 7 Sep 2023, at 18:26, Tim D=C3=BCsterhus wrote: > > in response to the recent "PASSWORD_DEFAULT value" thread [1], I've cre= ated an RFC to discuss an increase of the default BCrypt costs for `passwor= d_hash()` from the current value of 10. > > > > https://wiki.php.net/rfc/bcrypt_cost_2023 > > > Thanks Tim, > > Just quickly running this on two AWS EC2 servers, to give rough figures f= or a VM (note usual issues like noisy neighbours, turbo-boost, thermal thro= ttling, etc). > > t2.nano > > Cost 8: 2.083060 total (0.020831 per hash) > Cost 9: 4.115596 total (0.041156 per hash) > Cost 10: 8.238419 total (0.082384 per hash) > Cost 11: 16.334089 total (0.163341 per hash) > Cost 12: 32.693785 total (0.326938 per hash) > Cost 13: 65.587982 total (0.655880 per hash) > Cost 14: 131.358058 total (1.313581 per hash) > > t2.small > > Cost 8: 2.062625 total (0.020626 per hash) > Cost 9: 4.142067 total (0.041421 per hash) > Cost 10: 8.231646 total (0.082316 per hash) > Cost 11: 16.851889 total (0.168519 per hash) > Cost 12: 32.814440 total (0.328144 per hash) > Cost 13: 69.409889 total (0.694099 per hash) > Cost 14: 133.682196 total (1.336822 per hash) > > Both nano and small only have 1 vCPU, have 0.5 vs 1 GiB RAM, and a differ= ent number of CPU Credits/hr. > > We recently discussed hashing and costs at one of our OWASP meetings, we = came to conclusion that the default of 10 for bcrypt probably should be inc= reased, but only to 11 for typical websites. The main concern was about mak= ing denial-of-service attacks easier (think of a normal website developer, = who won't limit the number of login attempts). > > It's also worth keeping in mind the difference between online vs offline = attacks, what it's being used for, human behaviour when it comes to choosin= g bad passwords ("123456" and "Password1!" will still be guessed very quick= ly), etc. > > Craig > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php >