Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121237
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74252 invoked from network); 5 Oct 2023 18:32:06 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 5 Oct 2023 18:32:06 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4D06E1804BC
	for <internals@lists.php.net>; Thu,  5 Oct 2023 11:32:06 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu,  5 Oct 2023 11:32:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1696530724;
	bh=z0ZCoFSM/t9eBGAKrguDtoZZlQ1su8ITKovoCsIxWQk=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=GFd1WgFkrjPhdWBX+XtHuKhoAbOLgVtZJlaY898Y7pQ75TzRH1a8mbtaNTaDjMH2p
	 s3nAAizDmdU10sOvQoYsVhMu8ZkvkIvLiV6JJZy3UHlA7IIOpe1GjFYtxKzbYhZxd+
	 BBB3xEERJqbrtm+hh5kehv2Sr+M7WyCHN9YUGzMFPlEU1ojYGqnlg0TBbrlLDwVuNt
	 LgoscZMiNyowX8Zs2yyzieEBOBZPKV5hHS7p/Zfy9I+gUzJ7oIcVgGbRRIsAvvmcA7
	 p6qTyWJpZ0giUYomhf5JwFtsd7uKXe0UVNnvUDYO7YsZfxpA+NZjmxJ7olSBQxSSmZ
	 zwSSWjz399PGw==
Message-ID: <7098bc3c-aac4-8e35-e7b6-6d864c1b9ddc@bastelstu.be>
Date: Thu, 5 Oct 2023 20:32:03 +0200
MIME-Version: 1.0
Content-Language: en-US
To: steve@tobtu.com, PHP internals <internals@lists.php.net>
References: <a9b0d24f-fe59-75af-4b1e-dcd8067482b0@bastelstu.be>
 <263398749.1356563.1696464473187@email.ionos.com>
In-Reply-To: <263398749.1356563.1696464473187@email.ionos.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

Let me link your Fediverse reply for reference as well: 
https://infosec.exchange/@sc00bz/111178818937154254

On 10/5/23 02:07, steve@tobtu.com wrote:
> I know I'm late but bcrypt cost 12 (which looks like the winner) is high. Cost 12 is ~1 kH/s/GPU and the accepted limit for good settings is <10 kH/s/GPU. Cost 12 is 10x stronger than it needs to be as a *minimum*. I believe cost 10 is a good *default* for the next 1-3 years and cost 11 should be good for the next 5-10 years.

Yes, you were late (the vote was not yet closed at the time of your 
Fediverse post / your email, though).

According to your Fediverse reply beginning with next year, 11 would be 
an appropriate value for longevity. The default will only change 
starting in PHP 8.4 which is roughly 13 months away from its gold 
release. It will likely even longer before it actually broadly hits the 
users.

The next Debian Stable is expected to be released in the middle of 2025, 
with freeze starting around the end of 2024. Depending on the timing and 
compatibility of PHP 8.4, it might or might not make the cut. In any 
case, Debian will see PHP 8.4 no earlier than middle of 2025 and then 
users will need to upgrade to that version.

Likewise the next Ubuntu LTS is expected in April 2024 and thus will not 
include PHP 8.4, the first LTS version to include PHP 8.4 will arrive in 
April 2026.

I also expect that those versions will live in production way past the 
date the PHP project itself stops supporting them. Erring on the side of 
"strong" seems to be the right choice to me, especially since a CPU that 
is 12 years old as of today handles a cost of 12 in less than 330ms 
(which still is acceptable for interactive authentication), with current 
server CPUs (Xeon Gold 5416S mentioned by Alexandru) being at around the 
100ms you mentioned.

> Also the poll for increasing from cost 11 to cost 12 should be a 2/3 majority to get cost 12. Since the poll for increasing from cost 10 to cost 11 is a 2/3 majority. You can think of this as a 2/3 majority poll to increase to cost 11 followed by a 2/3 majority poll to increase to cost 12.
> 

I've included the majority rules within the first version of the RFC, so 
it was clear to everyone who voted how the results are going to be 
interpreted. Redefining the majority rules shortly before the end of the 
vote would be questionable, that's why I proceeded to announce the 
results with the rules that were announced at the start of the vote.

I also don't think that 12 is a wrong choice for the reasons outlined above.

Best regards
Tim Dsüterhus