On 25 Sep 2023, at 18:07, Tim Düsterhus wrote:
> I've now did the maths and you really need rate limiting no matter if you use
> costs 10, 11 or 12, so I believe the DoS argument is a little moot.
Yes, someone being malicious could easily generate enough requests to create an
Denial of
Hi
On 9/25/23 21:43, Levi Morrison via internals wrote:
I did a tiny bit of my own research, and could not find any
recommendations more specific than "10 or more" as the cost factor.
Typically, the advice is "use a more modern system like argon2id".
Please see this email of mine regarding
Yes, BCrypt uses only the first 72 bytes for hash generation. You can
test it with:
var_dump(password_verify(str_repeat('a', 72).'sdfsdf',
password_hash(str_repeat('a', 80), PASSWORD_BCRYPT)));
But I would not consider this an issue. Users rarely create passwords
longer than 72 bytes. 72 bytes
> Please find the following resources for your references:
>
> RFC Text: https://wiki.php.net/rfc/bcrypt_cost_2023
> Discussion Thread: https://externals.io/message/121004
> Feedback by a Hashcat team member on Fediverse:
> https://phpc.social/@tychotithonus@infosec.exchange/111025157601179075
I
Hi
On 9/22/23 10:46, Craig Francis wrote:
On 22 Sep 2023, at 08:04, Nicolas Grekas wrote:
For the record, I voted for 11 because I think it's nicer to end users (I guess
many don't know they could have a potential DoS vector via password
submissions), and also because it's going to be easy
Hi
On 9/25/23 06:20, Theodore Brown wrote:
Thanks for your work on this. I think bumping the default BCrypt cost from 10
to 11 is reasonable, as this typically adds less than 100 milliseconds
additional latency, which shouldn't be too noticeable for users logging in.
However, I am concerned
Hi
On 9/25/23 10:49, Derick Rethans wrote:
So, if you can suggest an area where doing an external review would have
high impact, please reply to this email.
Some things from top of my head in arbitrary order. Not all of them are
necessarily important themselves per se, but rather intended to
the php-fpm master<->php-fpm worker glue code. php-fpm master usually
runs as *root*, so a compromise in that glue could lead to webserver
rooting
On Mon, 25 Sept 2023 at 10:49, Derick Rethans wrote:
>
> Hi,
>
> The Foundation is organising an external audit/security check of the PHP
> source
On Sat, 23 Sep 2023, Niels Dossche wrote:
> On 9/2/23 21:41, Niels Dossche wrote:
> >
> > I'm opening the discussion for my RFC "DOM HTML5 parsing and
> > serialization support".
> > https://wiki.php.net/rfc/domdocument_html5_parser
>
> Some minor changes after a discussion with Tim:
>
> * The
Hi,
The Foundation is organising an external audit/security check of the PHP
source code. As part of that, we would like to identify the places in
the PHP source code where checking this will have the most impact.
Typical areas would be where user input can be (automatically read) remotely,
10 matches
Mail list logo
