Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121107
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89051 invoked from network); 20 Sep 2023 10:16:31 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 20 Sep 2023 10:16:31 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 39E61180511
	for <internals@lists.php.net>; Wed, 20 Sep 2023 03:16:30 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 20 Sep 2023 03:16:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1695204987;
	bh=2+QCFmIqo7vMziUEZaHnTbsPmKlwRXLC0lpgkt6HUXI=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=oGhpIvn1XPevRxknVzwMOr8wV/F1CM7oqF7VDgHfrPpo6CRHb1z1T/WUxQzkyYhej
	 Exchm0f5qFT/umSjcAUNL84npmQkSzy33AdW5oBzVu0m74HJbS/PbX3XaRrJyEoBVx
	 4fjO2l8Ed8p6xY/BDY4Uus/ihPL9GDEPAoHR5WTbydlx8ALktZT7dzInUSd8tb1900
	 YuCry+ivaYXyWnZpuywHvyVxRXXsxnJB9QFAroZXwcMKfbUkH6TyIUVr3ZiFV3a/yH
	 hzYUHisRVAywYIQztjozovI77E21yo9XrRsvG/JJPbuLPlc0PqkcMJEj+t5eR0s5yg
	 TfrNZf7WMBdbA==
Message-ID: <ce5e35b1-7922-986c-fc50-983f5d9bfb08@bastelstu.be>
Date: Wed, 20 Sep 2023 12:16:25 +0200
MIME-Version: 1.0
To: internals@lists.php.net
References: <e6d0f349-436d-8545-4146-e1293c901d65@bastelstu.be>
Content-Language: en-US
In-Reply-To: <e6d0f349-436d-8545-4146-e1293c901d65@bastelstu.be>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] RFC: Increasing the default BCrypt cost
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/7/23 19:26, Tim Düsterhus wrote:
> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
> created an RFC to discuss an increase of the default BCrypt costs for
> `password_hash()` from the current value of 10.
> 
> https://wiki.php.net/rfc/bcrypt_cost_2023
> 
> This message is intended to officially open the discussion period for
> that RFC.

The minimum 14 days of discussion will be over tomorrow. I believe the 
RFC is clearly written, sufficiently explains possible drawbacks and 
gives enough data to make an information decision.

As such I don't expect any more meaningful discussion and plan open the 
vote shortly after the 14 days are actually over to get this off my list.

Best regards
Tim Düsterhus