Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86128
Return-Path: <cmbecker69@gmx.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11244 invoked from network); 6 May 2015 21:10:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 May 2015 21:10:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.15 as permitted sender)
X-PHP-List-Original-Sender: cmbecker69@gmx.de
X-Host-Fingerprint: 212.227.15.15 mout.gmx.net  
Received: from [212.227.15.15] ([212.227.15.15:65436] helo=mout.gmx.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AF/B5-13398-F438A455 for <internals@lists.php.net>; Wed, 06 May 2015 17:10:40 -0400
Received: from [192.168.0.101] ([88.134.68.210]) by mail.gmx.com (mrgmx003)
 with ESMTPSA (Nemesis) id 0LlE86-1ZPiaT35R0-00b7M7; Wed, 06 May 2015 23:10:35
 +0200
Message-ID: <554A8351.4000806@gmx.de>
Date: Wed, 06 May 2015 23:10:41 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Albert Casademont <albertcasademont@gmail.com>
CC: Leszek Krupinski <leafnode@gmail.com>, 
 PHP Internals <internals@lists.php.net>
References: <554929FC.1010807@gmx.de> <CAOmo6z9XAhJjfGuDjrPTw+VpC9O_5x3ZNc77w1hQkGUNmwayxQ@mail.gmail.com> <554A68DF.6050403@gmx.de> <CAMA5aFbHwxwRh149a9QcZgxm5VLWxK9uMUn3cVBtWFM_AeKjBg@mail.gmail.com>
In-Reply-To: <CAMA5aFbHwxwRh149a9QcZgxm5VLWxK9uMUn3cVBtWFM_AeKjBg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Provags-ID:  V03:K0:ixwNFpzsqv9dhD5VrUFKmjqVb/g8PRFbT8pR5n5k9P1LTBrCnTl
 mD2Fg0qELbgJ5pt2lTRV+3csg+yVuQ+TpXgtl0BGmyO1HqlIiEGQPoubL01sLnApfBjvyeB
 2+7WglsWkunceV0VKVNz53wm6wRD+0n0uoIWpEN9Hxq9ZO60+kGRTEP3ZpepSNO3TkowHaq
 9oxBYGlmUlqGqfkLKDMuw==
X-UI-Out-Filterresults: notjunk:1;
Subject: Re: [PHP-DEV] password_hash() best practices
From: cmbecker69@gmx.de (Christoph Becker)

Albert Casademont wrote:

> The iteration count is very different because in bcrypt it's not an
> iteration count number at all, it's a "cost". And it's kinda exponential: a
> hash with a cost of 11 is twice as hard to compute than that of a 10. At
> our company we are using a cost of 11 right now, which means a hash is
> computed in around 100ms in a Core i7

A cost of N means 2**N rounds (i.e. iteration counts).  Therefore a cost
of 10 means 1024 rounds.  However, the complexity of the underlying
primitive should affect what is to be considered a reasonable iteration
count.  For instance, CRYPT_BLOWFISH has a minimum of 16 rounds, while
CRYPT_SHA256 has a minimum of 1000.

-- 
Christoph M. Becker