Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121018
Return-Path: <drealecs@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85699 invoked from network); 8 Sep 2023 16:50:17 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 8 Sep 2023 16:50:17 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id BDC5F1804AC
	for <internals@lists.php.net>; Fri,  8 Sep 2023 09:50:16 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <drealecs@gmail.com>
Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com [209.85.219.170])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri,  8 Sep 2023 09:50:16 -0700 (PDT)
Received: by mail-yb1-f170.google.com with SMTP id 3f1490d57ef6-d7ecdb99b7aso2091662276.3
        for <internals@lists.php.net>; Fri, 08 Sep 2023 09:50:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1694191815; x=1694796615; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=EU9sYBs28wzqUMar59WeMoIoV6UjRcZ7l/gzh5undFg=;
        b=pyGjE+vAUrpGGK7MQOeJFzrDxgkr7pkqJ+IBs9gOoQZGK8BP9PVWVmvg5t7BOQI4Xl
         4MfnJW4Dm4S+2f9KGfHB+nlyt/BW1l9BggOna3Ax0PzKZHPpRmHm9VxnTZizy4rRR9E7
         XnNhPFOPutyI1O0EKC6csx0qogchov06AQUt/WUq+HQBG5JcocGFlzSObzbvRg+Imqp2
         6wMs+T+FOAAg4LGpB5n8Cd5cHsNicnzxtdE6DcHUlNAZ34EmDA1hOdSf1Kcan+RFvC6r
         yiZseNZPNvbV4/cYsnOS4FqYUYY4+7NL34AFdRjKK4hm1JU8L61F5SPQLI1eYDjBOd7G
         YhLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1694191815; x=1694796615;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=EU9sYBs28wzqUMar59WeMoIoV6UjRcZ7l/gzh5undFg=;
        b=r3FQ6IVG4RRBYkfPX5wbW7hxQORWyP6mRJt3hScVKNC/N38zc8GY+tTbC9U0z8lMqv
         5YUIpuwsxnRRTiOMUjjjfLJcyKp0jL2vI3Td2xpShmCSjw/uj4ZE1ZV28RT+8g7EEtCW
         JUwIGa4m0IE4ch45I95ybsE4RLb9yLvT6ox+Fnne0sGLJtGVXcjXF+ITWAdPZV+mLjVO
         emeJ1L6Sp+HgO+2gLPTwoNmqSGOoSLkYE9wygdSXX4vhjvKAyUXAPttGoMm1hRr+6F3r
         f92LDV6Fnh8xRVFfqw2xJSkQR1wsCgb2dGFm3RA09psUdIuenE90n7VZ+ynra8hggRDW
         6hiA==
X-Gm-Message-State: AOJu0Yz6zKColArmMhxrCu+2+KN5Ja0JF7XmYgG+eEBzJQgIBcSCG4oB
	njYbioE2uzxHNbS8X6M0ymUSjLzyXHhk8shK2kM=
X-Google-Smtp-Source: AGHT+IFr2gNQ+2upWyzfYPr3gQeOGn4CkO4NKBauLBJFMpTXDkNTWgmOXEehEKUrOAi5oTT5bDMDB9hKUWbKtBo16JU=
X-Received: by 2002:a25:fc23:0:b0:d72:8661:ee23 with SMTP id
 v35-20020a25fc23000000b00d728661ee23mr2697145ybd.35.1694191815250; Fri, 08
 Sep 2023 09:50:15 -0700 (PDT)
MIME-Version: 1.0
References: <e6d0f349-436d-8545-4146-e1293c901d65@bastelstu.be>
In-Reply-To: <e6d0f349-436d-8545-4146-e1293c901d65@bastelstu.be>
Date: Fri, 8 Sep 2023 19:49:58 +0300
Message-ID: <CAAwdEzD=3cG17jCz8v4dT1qoCMOjxEgqh1UvSwk-MU2nVEMA2A@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000005459970604dbc54d"
Subject: Re: [PHP-DEV] RFC: Increasing the default BCrypt cost
From: drealecs@gmail.com (=?UTF-8?Q?Alexandru_P=C4=83tr=C4=83nescu?=)

--0000000000005459970604dbc54d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 7, 2023 at 8:26=E2=80=AFPM Tim D=C3=BCsterhus <tim@bastelstu.be=
> wrote:

> Hi
>
> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
> created an RFC to discuss an increase of the default BCrypt costs for
> `password_hash()` from the current value of 10.
>
> https://wiki.php.net/rfc/bcrypt_cost_2023
>
>

I think 12 looks reasonable.
I've performed some tests myself on private hosted servers with
newer hardware with good results for 12 around 0.1 seconds.

Can this be integrated into PHP 8.3, as it's not a new feature that can
cause problems?
Pushing it to 8.4 will delay the real usage with 2-3 more years already.

I feel like the hardware performance improvements (specifically single
thread performance) slightly increased in the past 3-4 years, and soon most
of the hosting providers will be using it.

Thank you for looking into this. Having good security configuration by
default is important.

Regards,
Alex

--0000000000005459970604dbc54d--