Hi
On 9/22/23 09:04, Nicolas Grekas wrote:
For the record, I voted for 11 because I think it's nicer to end users (I
guess many don't know they could have a potential DoS vector via password
submissions), and also because it's going to be easy to raise again in
8.5/9.0.
I was wondering if you considered also raising the Argon2 default cost? Has
this been discussed?
I did not consider this, because I don't have sufficient knowledge about
Argon2's behavior to write up a proper RFC for that without spreading
misinformation. For the reasons mentioned in
https://news-web.php.net/php.internals/120996, I do not use Argon2 myself.
See also this comment for further information:
https://github.com/laravel/laravel/pull/6245#issuecomment-1730504804 and
the Fediverse thread I linked in the initial email opening the vote.
Best regards
Tim Düsterhus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
