Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121134 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 3295 invoked from network); 25 Sep 2023 04:20:10 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Sep 2023 04:20:10 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 7D2741804C6 for ; Sun, 24 Sep 2023 21:20:09 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8075 52.96.0.0/12 X-Spam-Virus: No X-Envelope-From: Received: from MW2PR02CU002.outbound.protection.outlook.com (mail-westus2azolkn19013058.outbound.protection.outlook.com [52.103.10.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 24 Sep 2023 21:20:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gVoTP8kPs5WVlxmTgfNQlf1wkwQShihNQPz6WVWLhkV/tkmt463jI+MhbPnUbxClRfhwBEBl+bRApND+ErUb1fM+/M38QH5y3H6QN0QMUMXRybT2n/Pbjx+/QXtaQj7ds/pl+w1cGUmcZHtbPeW7iPVomct9ySkKcajIesRAlk/muVZAChdkviw46xk1xqNWDUsBm4ECXamkktV+aJvQSES9rMfWPdENllL0FLOOTTiAT9Pu9/vDSn1Y9jpAfzbycELeU2qoxvmYUoAkQnFQCPYch8OpbZKb2Z6lopAbsKcVxTAmhikBc9k+0dPFVsjqBwxjOsNBV/bjvz1pDQdlpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Z0HSXK+TweNOyuRJ8t2+vpt4m0rbemfZGh6TaFEBrWk=; b=ZIz4vbCET32rAXlndrtA/Pim9ADchT3QnEuxVjNl3KUaov41s9I45PvHV8k+Hy4URKbB9rrDXcnHP2WnI7lVz2pijCfaRh/vfxxZ2vsffT/hOLMW0SyoMyAing587jZKJSymu59XhdogdoHp5K+ajpBL0PMhgC4Hme04RSFhvYNNiffBhPuFL7p+C4aTzmvgctLzeKOZBSfOEWhTI7DJGDzKjYVh8BXRklqP+2MmNBBtkvfUdKhxNZ/XnSdnYN1eKAMPeOa2z0WRu6f2Z8HC4tShIxI5i01QZZ9gA1usfLoFGbfMIoM1Q2E6Dpa8nm6yn4L6uU+zTpw4ytKEA2xzWQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z0HSXK+TweNOyuRJ8t2+vpt4m0rbemfZGh6TaFEBrWk=; b=Nsmr8lxvqys7Og29iMNIbeyorL8JfqGANViKrrBj20+7z4VKCJOaaabTGFbFMQvd0g1p5BWAUqAB1J7dCpl2HzcSX7IFrlI3Oas83yeRX0nvYYYhqDuJ+Lri4gXs9AW0Jwp6tJ+A9R4pF8rIaQTQwnX/7AAmrmEX0cMpaTXF5G1smHmewt6YUCO+jIGlO0Mv9eS2aZHpxvFK/BQXnEdVN8r4EnXdBrf9jc8eI5PGQZ8HmTwuQJnj+NEp4zv6Dd4X7HJEGR0ke7ibcuwxp9wO22Xt2/QHnL8AXrE5YKK4SsMP3MjH8Fv3dqoefQUkjj6uiQjnMxW9DLvto0TKpJBAQw== Received: from BN7PR05MB4033.namprd05.prod.outlook.com (2603:10b6:406:90::33) by CO6PR05MB7699.namprd05.prod.outlook.com (2603:10b6:5:353::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.28; Mon, 25 Sep 2023 04:20:02 +0000 Received: from BN7PR05MB4033.namprd05.prod.outlook.com ([fe80::c6f0:dc3d:f75d:43ce]) by BN7PR05MB4033.namprd05.prod.outlook.com ([fe80::c6f0:dc3d:f75d:43ce%7]) with mapi id 15.20.6813.027; Mon, 25 Sep 2023 04:20:02 +0000 To: =?iso-8859-1?Q?Tim_D=FCsterhus?= , PHP internals Thread-Topic: [PHP-DEV] [VOTE] Increasing the default BCrypt cost Thread-Index: AQHZ7LDXZ0kTraf9nEawxbaehJuFv7Aq7cd2 Date: Mon, 25 Sep 2023 04:20:02 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [lcx1dtFWoAy1pudlbOaexb1JeXlQB0hP] x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BN7PR05MB4033:EE_|CO6PR05MB7699:EE_ x-ms-office365-filtering-correlation-id: 2ccfbc66-7d01-4a63-977c-08dbbd7eb068 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: uHrnd44in4xIcR2ODYtyojeDQkd7tKGcTRoRUaJpFXRYZxL/G0fJHPPDEVbjIzPJXZAK1k34twVjvfEMyGra3DS717acrr7KO3kvX43LJdHpZ2lBfYu9ipIMdb+uphmOVk/Z91UWvpesZglpZJoTHwLUG0M7FGkx9oKlfOMDHMyFi2Q8LNUw7or1T+WagCMiI9JVPV4bDJLLbLrBgYkzwB78SRHgGqwCy7a8RG/W9j89stoXFl44W6sswXEgzaEJiPCLhv6FipMhDqXEc1n7cNOUZ7wqp6Scs4Yt6wYwCvb34vCPJpXm5xGjBStDsWfb3xS38KwXcTDUEm1x7Cj6cTYh9ZkKv1qDPjdgmh1JZkCByf7goskjK5wDVYpI5NeqUxeWW/+eIrS5lER7c/ux7Ouk5T9WcG8/P6RvsTq8/F++JRmneJefEYcCES+jWGNyXygrU98+jY6R+GGJLMRJQqMSINsHCEAVeWj174yH20mW80RomyGq3N4qs1SvpOrwgJCsjISc1a+yI2bXfGnKYfihBSdBJtIcnVAc+yn9iRvg6fRKFk2OMKFH9360I5xE6iSlamcBJarNNdh9EJzvfxqtWvAcfEG41/zB6n+6PwY= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?2Jltqe/SEnfs/41U1bj7Cxub0SYaofchw6X10OcZKPTWrnErq4SzNfeZAB?= =?iso-8859-1?Q?Ok9FULxPLJnDkTT4MuC4zJVba49OzyXwNgSPwqRNlGaiciKwZE2lD+GCs4?= =?iso-8859-1?Q?xw75TeilBHnGpiUGQtPWqSRLnEPWIQOdPxM3g8Z076/Nr6Mv5t2dQ7tQTI?= =?iso-8859-1?Q?8mlfAyK3MAJ9o9maiMDq2ttQB1g8T33Bq3B0+QGfDcnzCb5jF8cOg+8Muf?= =?iso-8859-1?Q?XV4nyax5vkYFOlc0rXY82KqcIftXs4mcdtXICJ6Idkpag00k52PgjOlSWq?= =?iso-8859-1?Q?aqGUmV7RUJGR3BGqU2hAxfvCPJ9m/SWyA3jDM+ehLz8FUVjjqa9GvFkn3b?= =?iso-8859-1?Q?UnzV/G38q7cU7/jxkdLvQPIqhj6RLugvlkd1GYeLRftxc2V4LcaClK3dfJ?= =?iso-8859-1?Q?e+xQZ7Zk+eX4qHiE4oiGsXYA6eJ3eTVprQNgKPFonjehmOQm4t67yK7MwP?= =?iso-8859-1?Q?jPtbXBZILGBF/NgGs2elrp1cGNMIw0iIX9ltMnXsj2f0ljtlwCAUfNB40Y?= =?iso-8859-1?Q?Ki7C1nT1/4/c0GRC/mGz/sRyvs29jTwi13Z0swYOPOfVyArHbtFR4M+3ly?= =?iso-8859-1?Q?lFLHWjzBxvmEqYnonR36omAs8gjzqSPkttdxi0NsGUP6s3L9+Hye5HA+x8?= =?iso-8859-1?Q?/7Z9j9zkmG2M0+IK40voil7BR/wJO893sbq3VpDya/8S9Zb8zFfg4ufDSs?= =?iso-8859-1?Q?X2FZqB+06GHChSS6waZv3MhXceZX09ycofvc82gwyu6q4exA3EXE+5XgAo?= =?iso-8859-1?Q?yEW1MmeB2FaE9kach16cYJFJjD22x56SXm+2j5EB45EXPgwMVI4UR/J1oG?= =?iso-8859-1?Q?384wDKtQL09p9kP9dtOqCiVFytaIOZdA8tkao164fHCBSSveEWe2SgZtma?= =?iso-8859-1?Q?nKknfLiwa4bRRZiZa1rB5YIIqQRc3cZiFiXSJIHdBFSTFrnXSSyxY0X9Pg?= =?iso-8859-1?Q?vdv0y7rJvMpuEQFP//Av/s6qAGJ34DetHHam4HAD7iyU68Ev6eUZIuI/oB?= =?iso-8859-1?Q?a4w1cSqJ5pO7Z2SYh0B2Z+I7psuoJuNtUybWMUMx8F/Yim1m18uiOUl0he?= =?iso-8859-1?Q?AGkylscamnot6kClZkhq0zz8XcjzAOZs3QpUe+euvySpzWaGW3SG/vaLB+?= =?iso-8859-1?Q?wnXeW1vJoEtDbyBzXfzGwhnhd3qrpjp1lnwgHuJJdOQMSwPVXXrsWqB/bb?= =?iso-8859-1?Q?bi/cYWzHCsvRXxVWRbA3TxuMZwu3KJMl7CvCcr1wIiUxjic4z+rvavzjCt?= =?iso-8859-1?Q?jlh8O5UOnxGA1mkLtPoQ=3D=3D?= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN7PR05MB4033.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 2ccfbc66-7d01-4a63-977c-08dbbd7eb068 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Sep 2023 04:20:02.6183 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR05MB7699 Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost From: theodorejb@outlook.com (Theodore Brown) On Thu, Sep. 21, 2023 at 12:26 PM Tim D=FCsterhus wrote:=0A= =0A= > I just opened the vote for the "Increasing the default BCrypt cost" RFC.= =0A= > The RFC contains a two votes, one primary vote that requires a 2/3=0A= > majority to pass and a secondary vote deciding on the new costs with a=0A= > simple majority. Voting runs 2 weeks until 2023-10-05 17:45 UTC.=0A= >=0A= > Please find the following resources for your references:=0A= >=0A= > RFC Text: https://wiki.php.net/rfc/bcrypt_cost_2023=0A= =0A= Hi Tim,=0A= =0A= Thanks for your work on this. I think bumping the default BCrypt cost from = 10 to 11 is reasonable, as this typically adds less than 100 milliseconds a= dditional latency, which shouldn't be too noticeable for users logging in.= =0A= =0A= However, I am concerned about changing the default directly from 10 to 12. = Per the benchmarks in the RFC, even on recent hardware like the Apple M1 Pr= o this adds 179 ms additional time to verify a password (compared to 60 ms = for the change to 11). This would be a noticeable slowdown for user logins.= =0A= =0A= It gets even worse on older hardware, with the example of the 2011 Core i5 = adding 247 milliseconds additional time at a cost of 12, vs. 81 ms addition= al time using a cost of 11.=0A= =0A= It will be easy to bump the default cost again in the future, so I think a = more gradual increase will be safer to avoid an obvious degradation to user= login time.=0A= =0A= Best regards,=0A= Theodore=