Hi
On 9/8/23 18:49, Alexandru Pătrănescu wrote:
in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
created an RFC to discuss an increase of the default BCrypt costs for
`password_hash()` from the current value of 10.
https://wiki.php.net/rfc/bcrypt_cost_2023
I think 12 looks reasonable.
I've performed some tests myself on private hosted servers with
newer hardware with good results for 12 around 0.1 seconds.
wow, that is a 33% reduction even compared to the Xeon E-2246G and thus
hard to believe. What CPU is that?
Can this be integrated into PHP 8.3, as it's not a new feature that can
cause problems?
The release managers for PHP 8.3 would need to decide that. However I'd
rather not include this in PHP 8.3 at this point.
Pushing it to 8.4 will delay the real usage with 2-3 more years already.
IMO this is fine. Common frameworks can and do already use a different
default. Symfony apparently is at 13 by default. Laravel uses 10, but
I've already pinged someone on Mastodon to maybe have a look at the
results of this RFC:
https://phpc.social/@timwolla/111025125667858110
The current default of 10 is not insecure and rolling this out a little
more slowly will mean that more and more of the old and slow hardware
will be retired and replaced by modern hardware, lessening the impact.
I feel like the hardware performance improvements (specifically single
thread performance) slightly increased in the past 3-4 years, and soon most
of the hosting providers will be using it.
From my experience as a developer of a software that is commonly run on
shared hosting, web hosters *love* their ancient hardware, because it's
fully depreciated from a taxation / accounting PoV and every extra day
it is used is "free money". Customers commonly are not able to tell they
are running with tens of other customers on this ancient hardware and
thus won't complain ("loading times of 1 second are fine").
Best regards
Tim Düsterhus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
