On Thu, Sep. 21, 2023 at 12:26 PM Tim Düsterhus wrote: > I just opened the vote for the "Increasing the default BCrypt cost" RFC. > The RFC contains a two votes, one primary vote that requires a 2/3 > majority to pass and a secondary vote deciding on the new costs with a > simple majority. Voting runs 2 weeks until 2023-10-05 17:45 UTC. > > Please find the following resources for your references: > > RFC Text: https://wiki.php.net/rfc/bcrypt_cost_2023
Hi Tim, Thanks for your work on this. I think bumping the default BCrypt cost from 10 to 11 is reasonable, as this typically adds less than 100 milliseconds additional latency, which shouldn't be too noticeable for users logging in. However, I am concerned about changing the default directly from 10 to 12. Per the benchmarks in the RFC, even on recent hardware like the Apple M1 Pro this adds 179 ms additional time to verify a password (compared to 60 ms for the change to 11). This would be a noticeable slowdown for user logins. It gets even worse on older hardware, with the example of the 2011 Core i5 adding 247 milliseconds additional time at a cost of 12, vs. 81 ms additional time using a cost of 11. It will be easy to bump the default cost again in the future, so I think a more gradual increase will be safer to avoid an obvious degradation to user login time. Best regards, Theodore -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
