On Thu, Sep 7, 2023 at 8:26 PM Tim Düsterhus <t...@bastelstu.be> wrote:
> Hi > > in response to the recent "PASSWORD_DEFAULT value" thread [1], I've > created an RFC to discuss an increase of the default BCrypt costs for > `password_hash()` from the current value of 10. > > https://wiki.php.net/rfc/bcrypt_cost_2023 > > I think 12 looks reasonable. I've performed some tests myself on private hosted servers with newer hardware with good results for 12 around 0.1 seconds. Can this be integrated into PHP 8.3, as it's not a new feature that can cause problems? Pushing it to 8.4 will delay the real usage with 2-3 more years already. I feel like the hardware performance improvements (specifically single thread performance) slightly increased in the past 3-4 years, and soon most of the hosting providers will be using it. Thank you for looking into this. Having good security configuration by default is important. Regards, Alex