@Craig warning, it's very random what kind of CPU performance you get on your t2 instances, the CPUs vary greatly from modern to many years old.
I know of Fortune 500 companies that have automated systems to spin up t2 instances until they randomly get "a good one", then discard the others, because the cpu performance vary so widely On Thu, 7 Sept 2023 at 23:38, Craig Francis <cr...@craigfrancis.co.uk> wrote: > > On 7 Sep 2023, at 18:26, Tim Düsterhus <t...@bastelstu.be> wrote: > > in response to the recent "PASSWORD_DEFAULT value" thread [1], I've created > > an RFC to discuss an increase of the default BCrypt costs for > > `password_hash()` from the current value of 10. > > > > https://wiki.php.net/rfc/bcrypt_cost_2023 > > > Thanks Tim, > > Just quickly running this on two AWS EC2 servers, to give rough figures for a > VM (note usual issues like noisy neighbours, turbo-boost, thermal throttling, > etc). > > t2.nano > > Cost 8: 2.083060 total (0.020831 per hash) > Cost 9: 4.115596 total (0.041156 per hash) > Cost 10: 8.238419 total (0.082384 per hash) > Cost 11: 16.334089 total (0.163341 per hash) > Cost 12: 32.693785 total (0.326938 per hash) > Cost 13: 65.587982 total (0.655880 per hash) > Cost 14: 131.358058 total (1.313581 per hash) > > t2.small > > Cost 8: 2.062625 total (0.020626 per hash) > Cost 9: 4.142067 total (0.041421 per hash) > Cost 10: 8.231646 total (0.082316 per hash) > Cost 11: 16.851889 total (0.168519 per hash) > Cost 12: 32.814440 total (0.328144 per hash) > Cost 13: 69.409889 total (0.694099 per hash) > Cost 14: 133.682196 total (1.336822 per hash) > > Both nano and small only have 1 vCPU, have 0.5 vs 1 GiB RAM, and a different > number of CPU Credits/hr. > > We recently discussed hashing and costs at one of our OWASP meetings, we came > to conclusion that the default of 10 for bcrypt probably should be increased, > but only to 11 for typical websites. The main concern was about making > denial-of-service attacks easier (think of a normal website developer, who > won't limit the number of login attempts). > > It's also worth keeping in mind the difference between online vs offline > attacks, what it's being used for, human behaviour when it comes to choosing > bad passwords ("123456" and "Password1!" will still be guessed very quickly), > etc. > > Craig > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
