Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121143
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53290 invoked from network); 25 Sep 2023 19:58:05 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 25 Sep 2023 19:58:05 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id E7FE518005C
	for <internals@lists.php.net>; Mon, 25 Sep 2023 12:58:04 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 25 Sep 2023 12:58:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1695671882;
	bh=aSNg02+2zCdBPfZTnNYqKR/oobF84WgYqWr3kfsUVHA=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=BlH979Es1u7285ZP4pkqiBM4N+GuBBGQoVQ/XlKMHSfZCHCDsLA8PrbGXiusWZ9eT
	 SVisP0mZv+j0Y5dLaBjO0dv1jJEwGkp0+oODK+hhJA0qOyAY/kOFVBtSalsJ0VVsgd
	 PzsDr//HIGJambou8LNn3JwRnpvGFdn21DCPShoGrMgmnCIYhFaNAeJFtBM9aPMa5w
	 y1/mgTnWzNNV3uH6ObEqylsm6iMeq/qTlCSXVCh+zGLdPNmHUjHpWlFCrF/nZTDXf2
	 1IVVL/2mU6C50bDzDd2VyhYECLgWzETANY3OMlAkcHRFFRDXEhWEGTRGL7zykrRbMR
	 +wHPzVYut1IJw==
Message-ID: <749cf61e-b9b4-dc8b-facb-a19f76df4333@bastelstu.be>
Date: Mon, 25 Sep 2023 21:58:00 +0200
MIME-Version: 1.0
Content-Language: en-US
To: Levi Morrison <levi.morrison@datadoghq.com>
Cc: PHP internals <internals@lists.php.net>
References: <a9b0d24f-fe59-75af-4b1e-dcd8067482b0@bastelstu.be>
 <CAAKU0u=owpz5OEPUzKqPWQQEam+9gYqBCCUqnxUBQCvZU00QVw@mail.gmail.com>
In-Reply-To: <CAAKU0u=owpz5OEPUzKqPWQQEam+9gYqBCCUqnxUBQCvZU00QVw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/25/23 21:43, Levi Morrison via internals wrote:
> I did a tiny bit of my own research, and could not find any
> recommendations more specific than "10 or more" as the cost factor.
> Typically, the advice is "use a more modern system like argon2id".

Please see this email of mine regarding Argon2:

https://news-web.php.net/php.internals/120996

Other than that, the recommendation for BCrypt's cost factor (and 
basically also Argon's tunables) is "as high as feasible for your use case".

See also this post on Fediverse (it's also referenced in the initial 
email of the voting thread):

https://phpc.social/@tychotithonus@infosec.exchange/111025157601179075

> However, I did notice some sites mention that systems ought to check
> for a maximum length of 72 bytes when using bcrypt:
> https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#input-limits
> 
> As far as I can tell, PHP does not do this check. I am not sure if the
> implementation(s) used suffer(s) from the limitation that is the
> source of this recommendation. Perhaps someone has time to investigate
> this? Anyway, it's "future work."

BCrypt-as-specified has a limit of at most 72 bytes, none of which may 
be NUL. Additional characters will simply be ignored. Think of it like 
the password would be passed through `substr($password, 0, 72)`. The 
implementation used is crypt_blowfish by Openwall [1]. The limit in the 
source code is given by this loop:

https://github.com/php/php-src/blob/2e8cdd8eecac5d34619bbd03916d0b7bcc2cc023/ext/standard/crypt_blowfish.c#L580-L582

(BF_N (16) + 2) * 4 is 72

The behavior for longer passwords is well-defined, so I'd say that PHP 
doesn't need any additional check. The only thing that could be done 
differently is throwing an exception and this is likely not a good idea 
for such a generic function as 'password_hash'.

> I have voted for 11, but will not be hurt in any way if 12 wins.
> 

Best regards
Tim Düsterhus

[1] https://github.com/openwall/crypt_blowfish