On 22 Sep 2023, at 08:04, Nicolas Grekas <[email protected]> wrote: > For the record, I voted for 11 because I think it's nicer to end users (I > guess many don't know they could have a potential DoS vector via password > submissions), and also because it's going to be easy to raise again in > 8.5/9.0.
+1 I can't vote, but I would urge people to be careful with this. While a high cost might make you *feel* good, the DoS problem is real, especially on older hardware - 10 is still fine today, 11 is a fair improvement against brute force guessing, 12 is just burning CPU cycles today, simply because the difference does not address the problem of commonly used passwords (like 123456, password1, monkey, etc). Also, if you want to increase the cost yourself, on a system which blocks too many password attempts, you can do that easily - this is about the default, for people who are not customising it for their (shared/old) hardware. Craig, OWASP Bristol chapter leader, and regular attendee of PasswordsCon. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
