Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121082 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 20077 invoked from network); 18 Sep 2023 02:40:47 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Sep 2023 02:40:47 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5C97F1804BC for ; Sun, 17 Sep 2023 19:40:46 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 17 Sep 2023 19:40:45 -0700 (PDT) Received: by mail-yb1-f179.google.com with SMTP id 3f1490d57ef6-d8521c7172eso12028276.1 for ; Sun, 17 Sep 2023 19:40:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695004845; x=1695609645; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/A5mVe0g0LGWphowk1dAE0X1N+uqOTSxviQiRdsQPKQ=; b=E9So4uTj3DsKewm8mp58upqrT2PSCELKjg/3uRpaJ/2sMrZh+lEQUJqDD5Q80Iwia2 k98hvxiNr+kq3sHBvP6SHKORoXVmuKc63aLeHV32ujBOhd8yWjFkTKQ0cycDJuP7udMw xaw05jdoCM5QVugB4/x7yUgo1zITYjFkwDTwG+2yh4LAQuIhhRhNpQlaS42P+7+g9RLj VEoAwNErkU9XG/QEmubAiEXWSbRRV1FIZhmKsSknrclS6KKz6OxmOFlBKPJcUU2hwC7G w+v1nJG9hRHLL+sIQPjcQ4FrNeojskRBUtXU+ArpQitEY7XZTW60FJul4IAVYuCYQhcB gb8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695004845; x=1695609645; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/A5mVe0g0LGWphowk1dAE0X1N+uqOTSxviQiRdsQPKQ=; b=q7fuZXdgKf7AyI+OkYBe94YZwVSROvDyxmB5jz+QJC+LG+DFQVGfowmh9ehks86lti BDqajwpKa6YpHmlLzOqga38kMZ8y2F7aLlgoxtV+wG+t2sBIbIFPgPlHnmt2tmm1hWc/ rldKSFInWrUNZhMg7tmRqVHnWSQIFhdif8PrW9fvKD9Nc/dnsIzLUELeRTiBTrxAQrvg REENC5oJ3ytKTc5Fm6ITIncyi0/gpayRF+zIsNL84t2VthPklu2z2/otSTHXTpM9JXRI VEY8OvvT1jJIc6upSj7BERVvK8IZdEOH50cAcpAfn5ePxr3dIrgFtPXp6ZVikW5C7vk0 Dr2g== X-Gm-Message-State: AOJu0YwEuhAwhNsmTJVpZhqZfK+vHyszJcNJ2dKo7Yuq897hibKk7L4y 8w55fTpZemBHrVWVo/0ZFXGJjKqzy8rOGF6ZM68Bo/i4I4q6gYLv X-Google-Smtp-Source: AGHT+IH/Rl4a6uo5l3oWxw1KHPsO9LHk1XxBbxu0BrakYOBz/xOREnaiA0tlDN4ahCrCxQYd6grjneWOIxjl3uukI18= X-Received: by 2002:a25:ac4f:0:b0:d12:25d:fd60 with SMTP id r15-20020a25ac4f000000b00d12025dfd60mr7407642ybd.9.1695004845012; Sun, 17 Sep 2023 19:40:45 -0700 (PDT) MIME-Version: 1.0 References: <076e8c8a-9f17-0163-acad-87df7f4302a1@bastelstu.be> In-Reply-To: <076e8c8a-9f17-0163-acad-87df7f4302a1@bastelstu.be> Date: Mon, 18 Sep 2023 05:40:27 +0300 Message-ID: To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000adfaa7060599113f" Subject: Re: [PHP-DEV] RFC: Increasing the default BCrypt cost From: drealecs@gmail.com (=?UTF-8?Q?Alexandru_P=C4=83tr=C4=83nescu?=) --000000000000adfaa7060599113f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, Sep 10, 2023 at 7:06=E2=80=AFPM Tim D=C3=BCsterhus wrote: > Hi > > On 9/8/23 18:49, Alexandru P=C4=83tr=C4=83nescu wrote: > > > > I think 12 looks reasonable. > > I've performed some tests myself on private hosted servers with > > newer hardware with good results for 12 around 0.1 seconds. > > wow, that is a 33% reduction even compared to the Xeon E-2246G and thus > hard to believe. What CPU is that? > > That was a new Xeon Gold 5416S. I got lucky being able to run some tests on it before being pushed to production replacing a slightly older one, a Xeon Gold 5218. I'll be able to test that as well, but I feel like anyway the hardware I used is not what is usually in general. Actually, it is even less relevant, as it is meant to be used by a high performing MySQL server and not for running PHP. > > Pushing it to 8.4 will delay the real usage with 2-3 more years already= . > > IMO this is fine. Common frameworks can and do already use a different > default. Symfony apparently is at 13 by default. Laravel uses 10, but > I've already pinged someone on Mastodon to maybe have a look at the > results of this RFC: > > https://phpc.social/@timwolla/111025125667858110 > > The current default of 10 is not insecure and rolling this out a little > more slowly will mean that more and more of the old and slow hardware > will be retired and replaced by modern hardware, lessening the impact. > > Understood, yes, I agree. > > I feel like the hardware performance improvements (specifically single > > thread performance) slightly increased in the past 3-4 years, and soon > most > > of the hosting providers will be using it. > > > > From my experience as a developer of a software that is commonly run on > shared hosting, web hosters *love* their ancient hardware, because it's > fully depreciated from a taxation / accounting PoV and every extra day > it is used is "free money". Customers commonly are not able to tell they > are running with tens of other customers on this ancient hardware and > thus won't complain ("loading times of 1 second are fine"). > > Yes, I think I evaluated the hardware upgrade lifecycle to be around 5 years, but in reality it's 10-15 years. And also the CPU options used by hosting providers are cost oriented, to get the most performance per dollar. Thank you, Alex --000000000000adfaa7060599113f--