Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121140 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 41924 invoked from network); 25 Sep 2023 17:07:19 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Sep 2023 17:07:19 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B82B11804C6 for ; Mon, 25 Sep 2023 10:07:18 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS24940 176.9.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 25 Sep 2023 10:07:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1695661636; bh=i3cAwLI7ReBVr8Kl1hf9EKWs1jRGzUloX2vQBsO1+eo=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=gUQ/OzjrxZzkU5+1MctZXX0VLpwEKw3eCHv3Z4CA17uC/LXSB5Fi2BqVZZdYfTB3y AWEFCkaBICIGrZy30KBehetB6Xo98iyMPp29To1YJegsDW0XvTCAatyBehEdSf4yoQ kpwpCWDEToKGe2jx70W92m/dPxwsO0lVcLA5VL8QUORaaGuAHP0TOf8KN67Dw7mc5Z OvE8sWv8G0GigL/l/X+st/Ww9PIakeeFluEoJERwrcCe13yVJUeHEafIblf0UewGtj FmOgxWkewfYOhjmDunc2xiISewGeRAYhWXvay1TENEEismHRwkiMOL5hBpUupRON1/ x1lVBBgmCTTBQ== Message-ID: <05ef9741-7a5d-cfc7-1e3d-42071fac232a@bastelstu.be> Date: Mon, 25 Sep 2023 19:07:16 +0200 MIME-Version: 1.0 Content-Language: en-US To: Craig Francis , Nicolas Grekas Cc: PHP internals References: <44945ACB-066E-4805-8EF2-26796BA01671@craigfrancis.co.uk> In-Reply-To: <44945ACB-066E-4805-8EF2-26796BA01671@craigfrancis.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=) Hi On 9/22/23 10:46, Craig Francis wrote: > On 22 Sep 2023, at 08:04, Nicolas Grekas wrote: >> For the record, I voted for 11 because I think it's nicer to end users (I guess many don't know they could have a potential DoS vector via password submissions), and also because it's going to be easy to raise again in 8.5/9.0. > > [...] > I can't vote, but I would urge people to be careful with this. I've now did the maths and you really need rate limiting no matter if you use costs 10, 11 or 12, so I believe the DoS argument is a little moot. Taking the Xeon(R) E-2246G CPU as the fastest CPU within the RFC itself (only beaten by Alexandru's Xeon Gold 5416S): Verifying a single cost-11 hash keeps a single core busy for ~80ms. This allows for calculating 12.7 cost-11 hashes per core and second. The CPU is a 6C/12T CPU. SMT likely does not provide a performance benefit, because the cores will generally be busy all the time, but let's just assume SMT scales linearly for sake of the argument. Rounding up generously that means this CPU can calculate ~155 cost-11 hashes per second. A single computer on a slow Internet connection is easily capable of sustaining 155 HTTP requests per second. For reference a single HTTP/2 TCP connection commonly allows for 100 concurrent streams as per https://stackoverflow.com/a/36847527/782822. The current costs of 10 would allow for roughly twice the amount of hashes per second, resulting in the CPU being saturated at just 300 requests per second, still easily emitted with a single low-bandwidth computer. For the Xeon Gold 5416S which needs 0.1s / cost-12 hash (i.e. 50ms per cost-11 hash) you can do 20 cost-11 hashes per core and second. This CPU has 16C/32T, resulting in less than 640 hashes per second if you assume SMT scales linearly. > While a high cost might make you *feel* good, the DoS problem is real, especially on older hardware - 10 is still fine today, 11 is a fair improvement against brute force guessing, 12 is just burning CPU cycles today, simply because the difference does not address the problem of commonly used passwords (like 123456, password1, monkey, etc). The attacker does not know which users use less secure passwords and thus will spend effort for "secure" and "insecure" passwords alike. Doubling the costs will mean that each password takes twice as long to crack on average, making cracking twice as expensive. For less secure passwords that can make the difference between "being cracked" and "not being cracked" if the attacker is willing to spend a given amount of CPU time per password. > Also, if you want to increase the cost yourself, on a system which blocks too many password attempts, you can do that easily - this is about the default, for people who are not customising it for their (shared/old) hardware. > I believe it would be correct to assume that higher-traffic websites which are at a risk of denial of service (e.g. by folks that envy their success) would generally be sufficiently knowledgeable to make an explicit choice for their workload. The less experienced folks that will rely on the defaults are probably also the folks who are most likely to be breached and thus higher costs provide a real value-add against hashes being cracked. Best regards Tim Düsterhus