Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121125
Return-Path: <nicolas.grekas@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27756 invoked from network); 22 Sep 2023 07:04:47 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Sep 2023 07:04:47 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id E5FC91804BC
	for <internals@lists.php.net>; Fri, 22 Sep 2023 00:04:46 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <nicolas.grekas@gmail.com>
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 22 Sep 2023 00:04:43 -0700 (PDT)
Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-31c8321c48fso2085189f8f.1
        for <internals@lists.php.net>; Fri, 22 Sep 2023 00:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695366282; x=1695971082; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=XqAXnyAAj/k1sMfbHDSEPf6J8LDfiYemg6fo5+tHtuI=;
        b=L6CWg7UF5hlS1B6LA1v5dwvN4tSJ6Crryh9Xw9nR1xC8+F2WUPxpAq1LMGsrnaSKqP
         GXcsbNAx6LUu44AUUCyLTyWx39qClAr3UvI/+s9H0xA7sUBmruXMVsGutgNi5/tMsIgq
         bjtRe/NJ9aQSyhIYQHkCwhNjBFwpu744eSHcgV+OUx8E/jd/mmtr9iRu7V+g6b0akHgD
         Qfn7pONqL208BpvNDeHKetwWOcu4+syWU16/YazW1whOqVNVFZUc03YbPwf3RP436EGI
         t0+BBLznebE6dJmOS6pjWE1KzvwKmpdJCwQQ/hmMaiGVWo/H89V3ZLr1eb01CURRHUa1
         7v9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695366282; x=1695971082;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=XqAXnyAAj/k1sMfbHDSEPf6J8LDfiYemg6fo5+tHtuI=;
        b=jaV2WB/rrvj7NZSaxp+9iBFau/tl5z4LdaqX10OPeltfWvTe5kHI4sJhF7aIBoi3Ne
         hlSCjs5g1+QQoMjdIsQUjcNt58EgemvpyaprovQZZzfTfir0gKILfLCDLhpqM40oKW1g
         2TDpILwn8mj6imFdjC402+oi3tHhpUQN1O/cy62nhvkv6KAYABlQc+xuQsK5SuQnaxT+
         45QIY4N9ia5lW/41edDOW7ny4OIBvT751J0qqnYJ8H7LtzpiJU4sPix4+IWzCekbIhPU
         LtHuAIPHAxAv0DjGkrmbSwL+OmtDqrRrcb2W6WfC6N0B3vaShVQpzoUHY4jLtSKf3ZH0
         xUJQ==
X-Gm-Message-State: AOJu0Yw69vnfFd4RDd6xo3+a4d4Wh212uEQGoNsTufdI7PpZsqafqR+b
	F5GPirKUT5aSC2LHBc/hj7Nifsw6ihGdRVzwhlM=
X-Google-Smtp-Source: AGHT+IFRkwxFQLjKg7usruLS7jJHVHJf2H+x/oorPOXw2qNhOSHZaofspZGupz5DvKmg8zJJuGTTEMPAlmxHKJLiTa8=
X-Received: by 2002:adf:eac8:0:b0:320:123:34a2 with SMTP id
 o8-20020adfeac8000000b00320012334a2mr1211064wrn.25.1695366281512; Fri, 22 Sep
 2023 00:04:41 -0700 (PDT)
MIME-Version: 1.0
References: <a9b0d24f-fe59-75af-4b1e-dcd8067482b0@bastelstu.be>
In-Reply-To: <a9b0d24f-fe59-75af-4b1e-dcd8067482b0@bastelstu.be>
Date: Fri, 22 Sep 2023 09:04:29 +0200
Message-ID: <CAOWwgp=cJWtF8GS6h9Aq42bwJXTwbkG1L1LpcS7HLqK0hrj5rQ@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000f94d8c0605ed381a"
Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
From: nicolas.grekas+php@gmail.com (Nicolas Grekas)

--000000000000f94d8c0605ed381a
Content-Type: text/plain; charset="UTF-8"

I just opened the vote for the "Increasing the default BCrypt cost" RFC.
> The RFC contains a two votes, one primary vote that requires a 2/3
> majority to pass and a secondary vote deciding on the new costs with a
> simple majority. Voting runs 2 weeks until 2023-10-05 17:45 UTC.
>
> Please find the following resources for your references:
>
> RFC Text: https://wiki.php.net/rfc/bcrypt_cost_2023
> Discussion Thread: https://externals.io/message/121004
> Feedback by a Hashcat team member on Fediverse:
> https://phpc.social/@tychotithonus@infosec.exchange/111025157601179075
>


Hi Tim,

For the record, I voted for 11 because I think it's nicer to end users (I
guess many don't know they could have a potential DoS vector via password
submissions), and also because it's going to be easy to raise again in
8.5/9.0.

I was wondering if you considered also raising the Argon2 default cost? Has
this been discussed?

Thanks for the RFC

Nicolas

--000000000000f94d8c0605ed381a--