>web hosters *love* their ancient hardware
No kidding. dreamhost.com host over 1.5 million websites, presumably most
are on their "Shared Unlimited" package, which runs on
AMD Opteron 4122, a high-end server CPU from 2010.
Some benchmarks there:
hanshenrik@jonathan-dayton:~$ cat /proc/cpuinfo | head
processor : 0
vendor_id : AuthenticAMD
cpu family : 16
model : 8
model name : AMD Opteron(tm) Processor 4122
stepping : 0
microcode : 0x10000da
cpu MHz : 2200.000
cache size : 512 KB
physical id : 0
hanshenrik@jonathan-dayton:~$ php -v
PHP 8.2.5 (cli) (built: Apr 13 2023 18:45:57) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.5, Copyright (c) Zend Technologies
with Zend OPcache v8.2.5, Copyright (c), by Zend Technologies
hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>9]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>9]);'
Time (mean ± σ): 122.7 ms ± 2.4 ms [User: 78.1 ms, System: 33.7
ms]
Range (min … max): 120.0 ms … 127.5 ms 22 runs
hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>10]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>10]);'
Time (mean ± σ): 166.4 ms ± 2.7 ms [User: 115.1 ms, System: 39.3
ms]
Range (min … max): 163.0 ms … 171.2 ms 18 runs
hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>11]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>11]);'
Time (mean ± σ): 246.0 ms ± 5.2 ms [User: 198.2 ms, System: 34.5
ms]
Range (min … max): 241.0 ms … 256.5 ms 12 runs
hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>12]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>12]);'
Time (mean ± σ): 409.7 ms ± 3.6 ms [User: 355.6 ms, System: 41.6
ms]
Range (min … max): 405.3 ms … 416.6 ms 10 runs
hanshenrik@jonathan-dayton:~$ hyperfine 'php -r
'\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>13]);'\'''
Benchmark 1: php -r
'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>13]);'
Time (mean ± σ): 729.3 ms ± 10.6 ms [User: 672.5 ms, System: 43.8
ms]
Range (min … max): 717.3 ms … 754.5 ms 10 runs
must say, surprisingly good performance for a 2010 cpu
On Sun, Sep 10, 2023, 18:06 Tim Düsterhus <t...@bastelstu.be> wrote:
> Hi
>
> On 9/8/23 18:49, Alexandru Pătrănescu wrote:
> >> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've
> >> created an RFC to discuss an increase of the default BCrypt costs for
> >> `password_hash()` from the current value of 10.
> >>
> >> https://wiki.php.net/rfc/bcrypt_cost_2023
> >>
> >>
> >
> > I think 12 looks reasonable.
> > I've performed some tests myself on private hosted servers with
> > newer hardware with good results for 12 around 0.1 seconds.
>
> wow, that is a 33% reduction even compared to the Xeon E-2246G and thus
> hard to believe. What CPU is that?
>
> > Can this be integrated into PHP 8.3, as it's not a new feature that can
> > cause problems?
>
> The release managers for PHP 8.3 would need to decide that. However I'd
> rather not include this in PHP 8.3 at this point.
>
> > Pushing it to 8.4 will delay the real usage with 2-3 more years already.
>
> IMO this is fine. Common frameworks can and do already use a different
> default. Symfony apparently is at 13 by default. Laravel uses 10, but
> I've already pinged someone on Mastodon to maybe have a look at the
> results of this RFC:
>
> https://phpc.social/@timwolla/111025125667858110
>
> The current default of 10 is not insecure and rolling this out a little
> more slowly will mean that more and more of the old and slow hardware
> will be retired and replaced by modern hardware, lessening the impact.
>
> > I feel like the hardware performance improvements (specifically single
> > thread performance) slightly increased in the past 3-4 years, and soon
> most
> > of the hosting providers will be using it.
> >
>
> From my experience as a developer of a software that is commonly run on
> shared hosting, web hosters *love* their ancient hardware, because it's
> fully depreciated from a taxation / accounting PoV and every extra day
> it is used is "free money". Customers commonly are not able to tell they
> are running with tens of other customers on this ancient hardware and
> thus won't complain ("loading times of 1 second are fine").
>
> Best regards
> Tim Düsterhus
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>
