>web hosters *love* their ancient hardware No kidding. dreamhost.com host over 1.5 million websites, presumably most are on their "Shared Unlimited" package, which runs on AMD Opteron 4122, a high-end server CPU from 2010. Some benchmarks there:
hanshenrik@jonathan-dayton:~$ cat /proc/cpuinfo | head processor : 0 vendor_id : AuthenticAMD cpu family : 16 model : 8 model name : AMD Opteron(tm) Processor 4122 stepping : 0 microcode : 0x10000da cpu MHz : 2200.000 cache size : 512 KB physical id : 0 hanshenrik@jonathan-dayton:~$ php -v PHP 8.2.5 (cli) (built: Apr 13 2023 18:45:57) (NTS) Copyright (c) The PHP Group Zend Engine v4.2.5, Copyright (c) Zend Technologies with Zend OPcache v8.2.5, Copyright (c), by Zend Technologies hanshenrik@jonathan-dayton:~$ hyperfine 'php -r '\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>9]);'\''' Benchmark 1: php -r 'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>9]);' Time (mean ± σ): 122.7 ms ± 2.4 ms [User: 78.1 ms, System: 33.7 ms] Range (min … max): 120.0 ms … 127.5 ms 22 runs hanshenrik@jonathan-dayton:~$ hyperfine 'php -r '\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>10]);'\''' Benchmark 1: php -r 'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>10]);' Time (mean ± σ): 166.4 ms ± 2.7 ms [User: 115.1 ms, System: 39.3 ms] Range (min … max): 163.0 ms … 171.2 ms 18 runs hanshenrik@jonathan-dayton:~$ hyperfine 'php -r '\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>11]);'\''' Benchmark 1: php -r 'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>11]);' Time (mean ± σ): 246.0 ms ± 5.2 ms [User: 198.2 ms, System: 34.5 ms] Range (min … max): 241.0 ms … 256.5 ms 12 runs hanshenrik@jonathan-dayton:~$ hyperfine 'php -r '\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>12]);'\''' Benchmark 1: php -r 'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>12]);' Time (mean ± σ): 409.7 ms ± 3.6 ms [User: 355.6 ms, System: 41.6 ms] Range (min … max): 405.3 ms … 416.6 ms 10 runs hanshenrik@jonathan-dayton:~$ hyperfine 'php -r '\''password_hash("password1234",PASSWORD_BCRYPT,["cost"=>13]);'\''' Benchmark 1: php -r 'password_hash("password1234",PASSWORD_BCRYPT,["cost"=>13]);' Time (mean ± σ): 729.3 ms ± 10.6 ms [User: 672.5 ms, System: 43.8 ms] Range (min … max): 717.3 ms … 754.5 ms 10 runs must say, surprisingly good performance for a 2010 cpu On Sun, Sep 10, 2023, 18:06 Tim Düsterhus <t...@bastelstu.be> wrote: > Hi > > On 9/8/23 18:49, Alexandru Pătrănescu wrote: > >> in response to the recent "PASSWORD_DEFAULT value" thread [1], I've > >> created an RFC to discuss an increase of the default BCrypt costs for > >> `password_hash()` from the current value of 10. > >> > >> https://wiki.php.net/rfc/bcrypt_cost_2023 > >> > >> > > > > I think 12 looks reasonable. > > I've performed some tests myself on private hosted servers with > > newer hardware with good results for 12 around 0.1 seconds. > > wow, that is a 33% reduction even compared to the Xeon E-2246G and thus > hard to believe. What CPU is that? > > > Can this be integrated into PHP 8.3, as it's not a new feature that can > > cause problems? > > The release managers for PHP 8.3 would need to decide that. However I'd > rather not include this in PHP 8.3 at this point. > > > Pushing it to 8.4 will delay the real usage with 2-3 more years already. > > IMO this is fine. Common frameworks can and do already use a different > default. Symfony apparently is at 13 by default. Laravel uses 10, but > I've already pinged someone on Mastodon to maybe have a look at the > results of this RFC: > > https://phpc.social/@timwolla/111025125667858110 > > The current default of 10 is not insecure and rolling this out a little > more slowly will mean that more and more of the old and slow hardware > will be retired and replaced by modern hardware, lessening the impact. > > > I feel like the hardware performance improvements (specifically single > > thread performance) slightly increased in the past 3-4 years, and soon > most > > of the hosting providers will be using it. > > > > From my experience as a developer of a software that is commonly run on > shared hosting, web hosters *love* their ancient hardware, because it's > fully depreciated from a taxation / accounting PoV and every extra day > it is used is "free money". Customers commonly are not able to tell they > are running with tens of other customers on this ancient hardware and > thus won't complain ("loading times of 1 second are fine"). > > Best regards > Tim Düsterhus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > >