Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121047
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83107 invoked from network); 12 Sep 2023 16:01:32 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 12 Sep 2023 16:01:32 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id EE123180504
	for <internals@lists.php.net>; Tue, 12 Sep 2023 09:01:31 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 12 Sep 2023 09:01:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1694534489;
	bh=hh8oMePNsBLn3i/pOqvd+wwW4e/s2PbfDXw/iwCTOrg=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=Yp6kubbY2wjKXSnQOE57zHgkNP+71P8Zw5m2DxN4JC71777xpcOdNU5Dmt2b2dadu
	 TG4o1u44pjRIzxF553SeOZLJcUuSZXxt85ZHvBWfSPYRgHWInTdzaiwKekIsqxoSfs
	 gkjkv9LJN39qRF3LPCsVxIXDeDquLvw0iw/ItT6ub3WQvwER+Cy8i2gVnaC8uxvCYa
	 MKjG+6dNRGCEQA1NGlfO2+ze7RK988i6XluHJYuuTZfr4Db6oqaNod+Goms+TnM+7y
	 nIbwSJz1mDVMqEWqTjyPiYSKOl31O7V9pm0Td/S3xsHDry2GphyQ1jG9qIrj55nyhZ
	 j42lndQchK+2w==
Message-ID: <7da23206-9cd9-947d-fa19-645ae21923cb@bastelstu.be>
Date: Tue, 12 Sep 2023 18:01:27 +0200
MIME-Version: 1.0
To: Hans Henrik Bergan <divinity76@gmail.com>
Cc: PHP internals <internals@lists.php.net>
References: <e6d0f349-436d-8545-4146-e1293c901d65@bastelstu.be>
 <CAAwdEzD=3cG17jCz8v4dT1qoCMOjxEgqh1UvSwk-MU2nVEMA2A@mail.gmail.com>
 <076e8c8a-9f17-0163-acad-87df7f4302a1@bastelstu.be>
 <CAJmy8YGW6PTuVvUijHQ4jBHnd-jtHMg8EtuuASR=VP5gmQjo1g@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CAJmy8YGW6PTuVvUijHQ4jBHnd-jtHMg8EtuuASR=VP5gmQjo1g@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] RFC: Increasing the default BCrypt cost
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/12/23 17:56, Hans Henrik Bergan wrote:
>> web hosters *love* their ancient hardware
> 
> No kidding. dreamhost.com host over 1.5 million websites, presumably most
> are on their "Shared Unlimited" package, which runs on
> AMD Opteron 4122, a high-end server CPU from 2010.
> Some benchmarks there:

It appears your benchmarks are broken, because you're also measuring the 
startup cost of PHP itself. You should see an approximate doubling in 
time taken for each increase of the cost, but you have 122ms for 9 and 
166ms for 10.

A simple microtime(true) benchmark loop as used with my test script 
should be fine for ballpark estimates, as password_hash() is pretty 
heavy, dwarfing the measurement overhead.

Best regards
Tim Düsterhus