Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86127 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 9290 invoked from network); 6 May 2015 20:54:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 May 2015 20:54:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=albertcasademont@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=albertcasademont@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.173 as permitted sender) X-PHP-List-Original-Sender: albertcasademont@gmail.com X-Host-Fingerprint: 209.85.213.173 mail-ig0-f173.google.com Received: from [209.85.213.173] ([209.85.213.173:33907] helo=mail-ig0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E4/65-13398-D7F7A455 for ; Wed, 06 May 2015 16:54:23 -0400 Received: by iget9 with SMTP id t9so106289326ige.1 for ; Wed, 06 May 2015 13:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=V7G25GxyizqChkfxBVSASlQBjjiWGZciqmxxpMiJHtM=; b=PzBU7O+mGYRvCgtxYgpteHHlzIzigbrrFa9wHH7MaN7qng8XbPuJ82faAO/Geolgtt 0k8D/jLoiz4nuB7nY03y74dsBva3WaiQQp6TQ9YF+PgoJYwVkQVD++ChVsQW3zqn02Tw dVc8akCf7sw0Gd+LWdHVXFZDv+XU2ur+x2YOiZxF/4TDBdszKbY2SC4VAWWzyFPSEOdm DpakzJI3zsLL/6wwJ96I4hTXCcOu5eeYxvOZ41qYR9CrS+IEjDvvwQ3S5FflCiJkmi0o 5A+5MzfloFlar4iqN3vgXtiG4kdNi+rhexDL33reqPew5B+tV7wKK/BAuZilE9Lg0csg 2oog== X-Received: by 10.50.27.67 with SMTP id r3mr466793igg.15.1430945659115; Wed, 06 May 2015 13:54:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.98.70 with HTTP; Wed, 6 May 2015 13:53:58 -0700 (PDT) In-Reply-To: <554A68DF.6050403@gmx.de> References: <554929FC.1010807@gmx.de> <554A68DF.6050403@gmx.de> Date: Wed, 6 May 2015 22:53:58 +0200 Message-ID: To: Christoph Becker Cc: Leszek Krupinski , PHP Internals Content-Type: multipart/alternative; boundary=047d7b10cd33b45fba05156fffa2 Subject: Re: [PHP-DEV] password_hash() best practices From: albertcasademont@gmail.com (Albert Casademont) --047d7b10cd33b45fba05156fffa2 Content-Type: text/plain; charset=UTF-8 The iteration count is very different because in bcrypt it's not an iteration count number at all, it's a "cost". And it's kinda exponential: a hash with a cost of 11 is twice as hard to compute than that of a 10. At our company we are using a cost of 11 right now, which means a hash is computed in around 100ms in a Core i7 On Wed, May 6, 2015 at 9:17 PM, Christoph Becker wrote: > Leszek Krupinski: > > > While I agree that the statement "bcrypt is better than PBKDF2, thus only > > bcrypt should be used" is difficult to defend, > > Well at least the StackExchange thread[1] pointed out by Nikita supports > the statement. > > > I think saying "bcrypt is a > > homegrown solution, only PBKDF2 is a good way to do it" is also wrong and > > OP is opinionated. > > ACK. > > > IMO - docs should describe alternatives, without statements "X is better > > than Y", but we also should include PBKDF2 as an option for > password_hash() > > - PHP7 is (theoretically, apparently) closed for new features, but we > > should target the next possible version. I'm not sure if we should opt > for > > changing the default. > > As Nikata has pointed out there is no standardized crypt-compatible > format for PBKDF2, so it seems to be preferable not to add it to > password_hash(). > > > Regarding iteration count: (again, IMO) 1024 is a bit low, but 128000 as > a > > default for everyone might be a bit too much. > > As I understand it, the iteration count has to be very different for > bcrypt and PBKDF2 (the latter requiring much more rounds). Increasing > the default cost factor of bcrypt from 10 to 11 or 12 seems to be > reasonable, considering that 10 had be chosen nearly two years ago. > > [1] > < > http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage > > > > -- > Christoph M. Becker > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --047d7b10cd33b45fba05156fffa2--