> On 09/07/2023 4:37 PM CDT Craig Francis wrote:
>
> We recently discussed hashing and costs at one of our OWASP meetings, we came
> to conclusion that the default of 10 for bcrypt probably should be increased,
> but only to 11 for typical websites. The main concern was about making
> denial-o
Hi
On 9/7/23 19:26, Tim Düsterhus wrote:
in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
created an RFC to discuss an increase of the default BCrypt costs for
`password_hash()` from the current value of 10.
https://wiki.php.net/rfc/bcrypt_cost_2023
This message is intended
On Sun, Sep 10, 2023 at 7:06 PM Tim Düsterhus wrote:
> Hi
>
> On 9/8/23 18:49, Alexandru Pătrănescu wrote:
> >
> > I think 12 looks reasonable.
> > I've performed some tests myself on private hosted servers with
> > newer hardware with good results for 12 around 0.1 seconds.
>
> wow, that is a 33
>you're also measuring the startup cost of PHP itself.
yup correct
>A simple microtime(true) benchmark loop as used with my test script should be
>fine for ballpark estimates
agreed
>dwarfing the measurement overhead.
wouldn't count out random cpu context switch/background noise
completely, s
Hi
On 9/12/23 17:56, Hans Henrik Bergan wrote:
web hosters *love* their ancient hardware
No kidding. dreamhost.com host over 1.5 million websites, presumably most
are on their "Shared Unlimited" package, which runs on
AMD Opteron 4122, a high-end server CPU from 2010.
Some benchmarks there:
>web hosters *love* their ancient hardware
No kidding. dreamhost.com host over 1.5 million websites, presumably most
are on their "Shared Unlimited" package, which runs on
AMD Opteron 4122, a high-end server CPU from 2010.
Some benchmarks there:
hanshenrik@jonathan-dayton:~$ cat /proc/cpuinfo | h
Hi
On 9/8/23 18:49, Alexandru Pătrănescu wrote:
in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
created an RFC to discuss an increase of the default BCrypt costs for
`password_hash()` from the current value of 10.
https://wiki.php.net/rfc/bcrypt_cost_2023
I think 12 look
On Thu, Sep 7, 2023 at 8:26 PM Tim Düsterhus wrote:
> Hi
>
> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
> created an RFC to discuss an increase of the default BCrypt costs for
> `password_hash()` from the current value of 10.
>
> https://wiki.php.net/rfc/bcrypt_cost_2023
@Craig warning, it's very random what kind of CPU performance you get
on your t2 instances, the CPUs vary greatly from modern to many years
old.
I know of Fortune 500 companies that have automated systems to spin up
t2 instances until they randomly get "a good one", then discard the
others, becaus
On 7 Sep 2023, at 18:26, Tim Düsterhus wrote:
> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've created
> an RFC to discuss an increase of the default BCrypt costs for
> `password_hash()` from the current value of 10.
>
> https://wiki.php.net/rfc/bcrypt_cost_2023
Thanks Ti
Hi
On 9/7/23 20:05, Niels Dossche wrote:
I just noticed one small detail.
From the RFC text: "All tests were carried out using wall-power." I guess you
mean wall-time?
No, this means that the laptops whose CPUs where tested were plugged
into the wall :-)
I've added a parenthesis clarifyi
Hi Tim
On 07/09/2023 19:26, Tim Düsterhus wrote:
> Hi
>
> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've created
> an RFC to discuss an increase of the default BCrypt costs for
> `password_hash()` from the current value of 10.
>
> https://wiki.php.net/rfc/bcrypt_cost_2023
Hi
in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
created an RFC to discuss an increase of the default BCrypt costs for
`password_hash()` from the current value of 10.
https://wiki.php.net/rfc/bcrypt_cost_2023
This message is intended to officially open the discussion pe
13 matches
Mail list logo
