Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121129
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37065 invoked from network); 22 Sep 2023 08:46:23 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Sep 2023 08:46:23 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 9FA3E18004A
	for <internals@lists.php.net>; Fri, 22 Sep 2023 01:46:21 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 22 Sep 2023 01:46:21 -0700 (PDT)
Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-404314388ceso21083255e9.2
        for <internals@lists.php.net>; Fri, 22 Sep 2023 01:46:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default; t=1695372380; x=1695977180; darn=lists.php.net;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=z4DyM4NMmRU1V8wGS1t41d0epMmONtJImTuez0mxU2Q=;
        b=dn0E2GrPTaRnnTud4KGAhT/IC/KPvwrh3ZBT+BNPbhaeEa8iOEj50YG97qOS24wnZV
         CyD4WiLuwcJdJ4aliKQAbSNS4x/KxIRcE0F+6RJISeL5JwVlFyE0EqPhD8LqQ93sczWP
         LmWZ+hMASZQdClJSkXVSXOL3W1WRY39FOSjog=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695372380; x=1695977180;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=z4DyM4NMmRU1V8wGS1t41d0epMmONtJImTuez0mxU2Q=;
        b=YhvZJ3XVdZVywYrOpbQPGQnR6bMb5afoafcrjCTfBPKCERHhlxWdS4JLX0Q4217G04
         AZ2my6ILJks6SGQdrn7UgOEsEZBUuZ/b3XHRE3tP1+nkjEjPT1PqXNgOhU9CZHTmxA22
         SwfAl5/oxqp2rbWtEQDbs7vEZwwa7CT1Y0Ot9oGpDTP9JCPbypreIdKUWGS5xxYf4dgC
         ZStNgPYeVkZcVPbBjUBc5xTl9BMMFXza9trFIcbc3JYZ3o+vBIJmD24gkdLirAJTjy6f
         YCM6+np454SuKKT6e6t/kj7B3Ad6spMzPEyt7XZVsLrceNrYrvfzPMkN+dIYGovurmAW
         AjUg==
X-Gm-Message-State: AOJu0Yyq/1Djw/bFuEkmbDKJl7mnbYXWoRQ9jU5L2qJytgfidRyBjejj
	liWCHT/x263b6nwwshzOiIbEJg==
X-Google-Smtp-Source: AGHT+IHtOF8XHVAnBQTqNVx0sa3X0Q3TM7Iy/YMAbOaPva4mf9Fb3+e0waOh6IU5tRg51Jyna5+aIQ==
X-Received: by 2002:a05:600c:2058:b0:3fe:207c:1aea with SMTP id p24-20020a05600c205800b003fe207c1aeamr7009166wmg.23.1695372379499;
        Fri, 22 Sep 2023 01:46:19 -0700 (PDT)
Received: from smtpclient.apple ([92.234.79.97])
        by smtp.gmail.com with ESMTPSA id j9-20020a05600c300900b003fe407ca05bsm2750945wmh.37.2023.09.22.01.46.18
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 22 Sep 2023 01:46:18 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
In-Reply-To: <CAOWwgp=cJWtF8GS6h9Aq42bwJXTwbkG1L1LpcS7HLqK0hrj5rQ@mail.gmail.com>
Date: Fri, 22 Sep 2023 09:46:08 +0100
Cc: =?utf-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>,
 PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <44945ACB-066E-4805-8EF2-26796BA01671@craigfrancis.co.uk>
References: <a9b0d24f-fe59-75af-4b1e-dcd8067482b0@bastelstu.be>
 <CAOWwgp=cJWtF8GS6h9Aq42bwJXTwbkG1L1LpcS7HLqK0hrj5rQ@mail.gmail.com>
To: Nicolas Grekas <nicolas.grekas+php@gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
From: craig@craigfrancis.co.uk (Craig Francis)

On 22 Sep 2023, at 08:04, Nicolas Grekas <nicolas.grekas+php@gmail.com> =
wrote:
> For the record, I voted for 11 because I think it's nicer to end users =
(I guess many don't know they could have a potential DoS vector via =
password submissions), and also because it's going to be easy to raise =
again in 8.5/9.0.


+1

I can't vote, but I would urge people to be careful with this.

While a high cost might make you *feel* good, the DoS problem is real, =
especially on older hardware - 10 is still fine today, 11 is a fair =
improvement against brute force guessing, 12 is just burning CPU cycles =
today, simply because the difference does not address the problem of =
commonly used passwords (like 123456, password1, monkey, etc).

Also, if you want to increase the cost yourself, on a system which =
blocks too many password attempts, you can do that easily - this is =
about the default, for people who are not customising it for their =
(shared/old) hardware.

Craig,
OWASP Bristol chapter leader, and regular attendee of PasswordsCon.