Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121032 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 55667 invoked from network); 10 Sep 2023 16:06:09 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 10 Sep 2023 16:06:09 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 1EB90180341 for ; Sun, 10 Sep 2023 09:06:07 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS24940 176.9.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 10 Sep 2023 09:06:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1694361962; bh=1efp/c+tdoDa3UdKATT4OEK8KPMejBqSa7DFeIDTSW8=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=o+td3BuJuCAw2eN8jAzQ/kfBUu3onq5glFi0p63GiDGQjb6lcLJ47UGvnkR1EgkjR cZP1wwwmyl/LiLyrimB9bp8MGuP+/0ho7VW89lgEbfua/KSHkNYne9pMNzEg4B2Vy6 WkkQiyXAGOdziuwzw2r2DoWvVVZ0HFlUL++vUI02FWn6cNhNZTdyi+5/UjSbjGpKHv zIASZYyBMuR1QhEpzn380HqcJxZwy5G6ZR6J0BQzIhW1GRmvUKPLZchtjF/3hTXBsZ 7nyYdhJBywxgtuWKMFeer1jieIvJIUnB3+ijmQnvJ1TqjAUj72HGfH5w1q0OKFda9O u29+fhc/YQKLw== Message-ID: <076e8c8a-9f17-0163-acad-87df7f4302a1@bastelstu.be> Date: Sun, 10 Sep 2023 18:05:58 +0200 MIME-Version: 1.0 To: =?UTF-8?Q?Alexandru_P=c4=83tr=c4=83nescu?= Cc: PHP internals References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] RFC: Increasing the default BCrypt cost From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=) Hi On 9/8/23 18:49, Alexandru Pătrănescu wrote: >> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've >> created an RFC to discuss an increase of the default BCrypt costs for >> `password_hash()` from the current value of 10. >> >> https://wiki.php.net/rfc/bcrypt_cost_2023 >> >> > > I think 12 looks reasonable. > I've performed some tests myself on private hosted servers with > newer hardware with good results for 12 around 0.1 seconds. wow, that is a 33% reduction even compared to the Xeon E-2246G and thus hard to believe. What CPU is that? > Can this be integrated into PHP 8.3, as it's not a new feature that can > cause problems? The release managers for PHP 8.3 would need to decide that. However I'd rather not include this in PHP 8.3 at this point. > Pushing it to 8.4 will delay the real usage with 2-3 more years already. IMO this is fine. Common frameworks can and do already use a different default. Symfony apparently is at 13 by default. Laravel uses 10, but I've already pinged someone on Mastodon to maybe have a look at the results of this RFC: https://phpc.social/@timwolla/111025125667858110 The current default of 10 is not insecure and rolling this out a little more slowly will mean that more and more of the old and slow hardware will be retired and replaced by modern hardware, lessening the impact. > I feel like the hardware performance improvements (specifically single > thread performance) slightly increased in the past 3-4 years, and soon most > of the hosting providers will be using it. > From my experience as a developer of a software that is commonly run on shared hosting, web hosters *love* their ancient hardware, because it's fully depreciated from a taxation / accounting PoV and every extra day it is used is "free money". Customers commonly are not able to tell they are running with tens of other customers on this ancient hardware and thus won't complain ("loading times of 1 second are fine"). Best regards Tim Düsterhus