Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121046
Return-Path: <divinity76@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81328 invoked from network); 12 Sep 2023 15:56:57 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 12 Sep 2023 15:56:57 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 490A71804D0
	for <internals@lists.php.net>; Tue, 12 Sep 2023 08:56:56 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <divinity76@gmail.com>
Received: from mail-oo1-f47.google.com (mail-oo1-f47.google.com [209.85.161.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 12 Sep 2023 08:56:55 -0700 (PDT)
Received: by mail-oo1-f47.google.com with SMTP id 006d021491bc7-57359e85e9bso3191086eaf.2
        for <internals@lists.php.net>; Tue, 12 Sep 2023 08:56:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1694534215; x=1695139015; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=ofxDGQEordi0S3Emw9cml/GVcKM+nEVe1SaGS7QxXHQ=;
        b=hAgcv04L4HAUdClymJ840a+2AmQ5LWgYbSAYWsoIeC29MKS0L2hE3+sDTTNaeEs/Z7
         mv3DlZKnq7VtOPuqk+8EqzAl7N2QWH7oxW/uunaLqQgtCyKbJFSlPKLBB28HzdwzclBD
         1R+8/kknhTwdoFpyMCpXWn0WboplrIJhc+KgyPzGIRyutTAUj+a9cjdZzNhJFcFuF3W/
         xf3Tphv56SE4dE3SfFrBnXQ0rSSamnvZ3pdkjF6arkp8BIGCmhpKiVi11t2feV1C0d4m
         70l80k66p0MV+yAVG577Dh7obC/amp7KjP9oYHo4OUIbRY0ZuIa7ij7ffCz6RWV+mwrB
         bvZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1694534215; x=1695139015;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ofxDGQEordi0S3Emw9cml/GVcKM+nEVe1SaGS7QxXHQ=;
        b=kHPD1DuBy+r0OFsm7HwPzEPQ2kozLsBPDoMdq25uQ/j1n+Oo60EdbK3nDsy+wBUe1z
         woLx9b4JmiJbN6tbSJJmqPJ5vb/hFfs+zITqN71RbeI93KTbLEu+OF3yMSVDCLk+kaE0
         0+00nrnjeqwIaYnEgIdyLIGxrpunJl09KtE11ER0Sd9dA6hWk1oVq7w7zSd7oC+KcWiW
         MWhFLdM/bouqGTDsDi5S3ClRCMellLSWi/C7vdsdATf5J4jiA47+1dn00/9We/NYBg4R
         BINvcb1NGcbOYtuV5PHZR5Dg1r+9x9ekyGkOk/CC6+f6b8HDiFnS//V/Xy3s4YRu2BAn
         /Ngg==
X-Gm-Message-State: AOJu0YxiIxP/1jQdfhHyw+eXBHONHfdZY6SKTHtJVgFoHqxq9g6vljKz
	bKg5BQC6YIR1WonXFOia+6cuLV9gmgl8CXT0CnA=
X-Google-Smtp-Source: AGHT+IFR/E4Fd23Av/LfkfUZLPx2k64HCJrr9uhDJsw3REBhUHM49IF0thF3kYXseHGJjRMNiNDeHj1KLBPlGPaIsP0=
X-Received: by 2002:a05:6870:f288:b0:1be:e6d6:15c4 with SMTP id
 u8-20020a056870f28800b001bee6d615c4mr12771512oap.9.1694534214751; Tue, 12 Sep
 2023 08:56:54 -0700 (PDT)
MIME-Version: 1.0
References: <e6d0f349-436d-8545-4146-e1293c901d65@bastelstu.be>
 <CAAwdEzD=3cG17jCz8v4dT1qoCMOjxEgqh1UvSwk-MU2nVEMA2A@mail.gmail.com> <076e8c8a-9f17-0163-acad-87df7f4302a1@bastelstu.be>
In-Reply-To: <076e8c8a-9f17-0163-acad-87df7f4302a1@bastelstu.be>
Date: Tue, 12 Sep 2023 17:56:17 +0200
Message-ID: <CAJmy8YGW6PTuVvUijHQ4jBHnd-jtHMg8EtuuASR=VP5gmQjo1g@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: =?UTF-8?Q?Alexandru_P=C4=83tr=C4=83nescu?= <drealecs@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000ee22e606052b7db3"
Subject: Re: [PHP-DEV] RFC: Increasing the default BCrypt cost
From: divinity76@gmail.com (Hans Henrik Bergan)

--000000000000ee22e606052b7db3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

>web hosters *love* their ancient hardware

No kidding. dreamhost.com host over 1.5 million websites, presumably most
are on their "Shared Unlimited" package, which runs on
AMD Opteron 4122, a high-end server CPU from 2010.
Some benchmarks there:

hanshenrik@jonathan-dayton:~$ cat /proc/cpuinfo | head
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 16
model           : 8
model name      : AMD Opteron(tm) Processor 4122
stepping        : 0
microcode       : 0x10000da
cpu MHz         : 2200.000
cache size      : 512 KB
physical id     : 0
hanshenrik@jonathan-dayton:~$ php -v
PHP 8.2.5 (cli) (built: Apr 13 2023 18:45:57) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.5, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.5, Copyright (c), by Zend Technologies
hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>9]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>9]);'
  Time (mean =C2=B1 =CF=83):     122.7 ms =C2=B1   2.4 ms    [User: 78.1 ms=
, System: 33.7
ms]
  Range (min =E2=80=A6 max):   120.0 ms =E2=80=A6 127.5 ms    22 runs

hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>10]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>10]);'
  Time (mean =C2=B1 =CF=83):     166.4 ms =C2=B1   2.7 ms    [User: 115.1 m=
s, System: 39.3
ms]
  Range (min =E2=80=A6 max):   163.0 ms =E2=80=A6 171.2 ms    18 runs

hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>11]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>11]);'
  Time (mean =C2=B1 =CF=83):     246.0 ms =C2=B1   5.2 ms    [User: 198.2 m=
s, System: 34.5
ms]
  Range (min =E2=80=A6 max):   241.0 ms =E2=80=A6 256.5 ms    12 runs

hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>12]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>12]);'
  Time (mean =C2=B1 =CF=83):     409.7 ms =C2=B1   3.6 ms    [User: 355.6 m=
s, System: 41.6
ms]
  Range (min =E2=80=A6 max):   405.3 ms =E2=80=A6 416.6 ms    10 runs

hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>13]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=3D>13]);'
  Time (mean =C2=B1 =CF=83):     729.3 ms =C2=B1  10.6 ms    [User: 672.5 m=
s, System: 43.8
ms]
  Range (min =E2=80=A6 max):   717.3 ms =E2=80=A6 754.5 ms    10 runs

must say, surprisingly good performance for a 2010 cpu

On Sun, Sep 10, 2023, 18:06 Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:

> Hi
>
> On 9/8/23 18:49, Alexandru P=C4=83tr=C4=83nescu wrote:
> >> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
> >> created an RFC to discuss an increase of the default BCrypt costs for
> >> `password_hash()` from the current value of 10.
> >>
> >> https://wiki.php.net/rfc/bcrypt_cost_2023
> >>
> >>
> >
> > I think 12 looks reasonable.
> > I've performed some tests myself on private hosted servers with
> > newer hardware with good results for 12 around 0.1 seconds.
>
> wow, that is a 33% reduction even compared to the Xeon E-2246G and thus
> hard to believe. What CPU is that?
>
> > Can this be integrated into PHP 8.3, as it's not a new feature that can
> > cause problems?
>
> The release managers for PHP 8.3 would need to decide that. However I'd
> rather not include this in PHP 8.3 at this point.
>
> > Pushing it to 8.4 will delay the real usage with 2-3 more years already=
.
>
> IMO this is fine. Common frameworks can and do already use a different
> default. Symfony apparently is at 13 by default. Laravel uses 10, but
> I've already pinged someone on Mastodon to maybe have a look at the
> results of this RFC:
>
> https://phpc.social/@timwolla/111025125667858110
>
> The current default of 10 is not insecure and rolling this out a little
> more slowly will mean that more and more of the old and slow hardware
> will be retired and replaced by modern hardware, lessening the impact.
>
> > I feel like the hardware performance improvements (specifically single
> > thread performance) slightly increased in the past 3-4 years, and soon
> most
> > of the hosting providers will be using it.
> >
>
>  From my experience as a developer of a software that is commonly run on
> shared hosting, web hosters *love* their ancient hardware, because it's
> fully depreciated from a taxation / accounting PoV and every extra day
> it is used is "free money". Customers commonly are not able to tell they
> are running with tens of other customers on this ancient hardware and
> thus won't complain ("loading times of 1 second are fine").
>
> Best regards
> Tim D=C3=BCsterhus
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>

--000000000000ee22e606052b7db3--