[prev in list] [next in list] [prev in thread] [next in thread]
List: php-doc-cvs
Subject: [DOC-CVS] [doc-en] master: password_hash: Update script to generate cost recommendations (#2784)
From: Tim_Düsterhus_via_GitHub <noreply () php ! net>
Date: 2023-09-22 15:49:55
Message-ID: Jj78gr9A9AG3cdqlxy36sSkYvB8IlfUyRkz4P39OSVc () main ! php ! net
[Download RAW message or body]
Author: Tim Düsterhus (TimWolla)
Committer: GitHub (web-flow)
Pusher: Girgias
Date: 2023-09-22T16:36:24+01:00
Commit: https://github.com/php/doc-en/commit/c6b95280cf10b6b252683ee7d86416c4c27deb4e
Raw diff: https://github.com/php/doc-en/commit/c6b95280cf10b6b252683ee7d86416c4c27deb4e.diff
password_hash: Update script to generate cost recommendations (#2784)
50 ms is way to short to generate actually secure hashes. Update the
recommendation to 350 ms with a starting cost of 10 (the current default) and
example output of 12.
see https://wiki.php.net/rfc/bcrypt_cost_2023
Changed paths:
M reference/password/functions/password-hash.xml
Diff:
diff --git a/reference/password/functions/password-hash.xml \
b/reference/password/functions/password-hash.xml index c99069bee6e..1183c7bd13f \
100644
--- a/reference/password/functions/password-hash.xml
+++ b/reference/password/functions/password-hash.xml
@@ -295,13 +295,13 @@ $2y$12$QjSH496pcT5CEbzjD/vtVeH03tfHKFy36d4J0Ltp3lRtee9HDxY3K
/**
* This code will benchmark your server to determine how high of a cost you can
* afford. You want to set the highest cost that you can without slowing down
- * you server too much. 8-10 is a good baseline, and more is good if your servers
- * are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
- * which is a good baseline for systems handling interactive logins.
+ * you server too much. 10 is a good baseline, and more is good if your servers
+ * are fast enough. The code below aims for ≤ 350 milliseconds stretching time,
+ * which is an appropriate delay for systems handling interactive logins.
*/
-$timeTarget = 0.05; // 50 milliseconds
+$timeTarget = 0.350; // 350 milliseconds
-$cost = 8;
+$cost = 10;
do {
$cost++;
$start = microtime(true);
@@ -316,7 +316,7 @@ echo "Appropriate Cost Found: " . $cost;
&example.outputs.similar;
<screen>
<![CDATA[
-Appropriate Cost Found: 10
+Appropriate Cost Found: 12
]]>
</screen>
</example>
@@ -358,7 +358,7 @@ Argon2i hash: \
$argon2i$v=19$m=1024,t=2,p=2$YzJBSzV4TUhkMzc3d3laeg$zqU/1IN0/AogfP <note>
<para>
It is recommended that you test this function on your servers, and adjust the \
cost parameter
- so that execution of the function takes less than 100 milliseconds on \
interactive systems. + so that execution of the function takes less than 350 \
milliseconds on interactive systems.
The script in the above example will help you choose a good cost value for your \
hardware. </para>
</note>
--
PHP Documentation Commits Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic