Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
more results on ARM: RK3399 - Cortex-A7x Cost 10: 10.694221 total (0.106942 per hash) Cost 11: 21.360409 total (0.213604 per hash) Cost 12: 42.692786 total (0.426928 per hash) RK3399 - Cortex-A5x Cost 10: 15.146773 total (0.151468 per hash) Cost 11: 30.272059 total (0.302721 per hash) Cost 12: 60.607128 total (0.606071 per hash) Ampere Altra Cost 10: 6.286994 total (0.062870 per hash) Cost 11: 13.056349 total (0.130563 per hash) Cost 12: 25.230312 total (0.252303 per hash) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
On 22 Sep 2023, at 08:04, Nicolas Grekas wrote: > For the record, I voted for 11 because I think it's nicer to end users (I > guess many don't know they could have a potential DoS vector via password > submissions), and also because it's going to be easy to raise again in > 8.5/9.0. +1 I can't vote, but I would urge people to be careful with this. While a high cost might make you *feel* good, the DoS problem is real, especially on older hardware - 10 is still fine today, 11 is a fair improvement against brute force guessing, 12 is just burning CPU cycles today, simply because the difference does not address the problem of commonly used passwords (like 123456, password1, monkey, etc). Also, if you want to increase the cost yourself, on a system which blocks too many password attempts, you can do that easily - this is about the default, for people who are not customising it for their (shared/old) hardware. Craig, OWASP Bristol chapter leader, and regular attendee of PasswordsCon. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
Hi On 9/22/23 09:04, Nicolas Grekas wrote: For the record, I voted for 11 because I think it's nicer to end users (I guess many don't know they could have a potential DoS vector via password submissions), and also because it's going to be easy to raise again in 8.5/9.0. I was wondering if you considered also raising the Argon2 default cost? Has this been discussed? I did not consider this, because I don't have sufficient knowledge about Argon2's behavior to write up a proper RFC for that without spreading misinformation. For the reasons mentioned in https://news-web.php.net/php.internals/120996, I do not use Argon2 myself. See also this comment for further information: https://github.com/laravel/laravel/pull/6245#issuecomment-1730504804 and the Fediverse thread I linked in the initial email opening the vote. Best regards Tim Düsterhus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [RFC] [Discussion] XML_OPTION_PARSE_HUGE
Hi Larry On 22/09/2023 01:05, Larry Garfield wrote: > On Thu, Sep 21, 2023, at 9:26 PM, Niels Dossche wrote: >> Hi internals >> >> I'd like to put a new RFC under discussion: >> https://wiki.php.net/rfc/xml_option_parse_huge >> >> Kind regards >> Niels > > Seems reasonable to me at first glance. Some code samples in the RFC showing > usage would help. It would also help to know what the actual definition of > huge is right now; just referencing a header file in some other library > doesn't help me. :-) Will do both, thanks. > > --Larry Garfield > Kind regards Niels -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [RFC] [Discussion] XML_OPTION_PARSE_HUGE
Hi Aleksander On 22/09/2023 07:51, Aleksander Machniak wrote: > On 21.09.2023 23:26, Niels Dossche wrote: >> I'd like to put a new RFC under discussion: >> https://wiki.php.net/rfc/xml_option_parse_huge > > Looking at LIBXML_PARSEHUGE at > https://www.php.net/manual/en/libxml.constants.php > > - there's discrepancy regarding the libxml version the feature was introduced > in, I'll fix this, it should indeed be 2.7.0. > - maybe existence of this constant should be mentioned in the RFC. > Agreed, I'll add this. Thanks for noticing these. Cheers Niels -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
I just opened the vote for the "Increasing the default BCrypt cost" RFC. > The RFC contains a two votes, one primary vote that requires a 2/3 > majority to pass and a secondary vote deciding on the new costs with a > simple majority. Voting runs 2 weeks until 2023-10-05 17:45 UTC. > > Please find the following resources for your references: > > RFC Text: https://wiki.php.net/rfc/bcrypt_cost_2023 > Discussion Thread: https://externals.io/message/121004 > Feedback by a Hashcat team member on Fediverse: > https://phpc.social/@tychotithonus@infosec.exchange/111025157601179075 > Hi Tim, For the record, I voted for 11 because I think it's nicer to end users (I guess many don't know they could have a potential DoS vector via password submissions), and also because it's going to be easy to raise again in 8.5/9.0. I was wondering if you considered also raising the Argon2 default cost? Has this been discussed? Thanks for the RFC Nicolas
Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost
Le 21/09/2023 à 19:26, Tim Düsterhus a écrit : Hi I just opened the vote for the "Increasing the default BCrypt cost" RFC. The RFC contains a two votes, one primary vote that requires a 2/3 majority to pass and a secondary vote deciding on the new costs with a simple majority. Voting runs 2 weeks until 2023-10-05 17:45 UTC. Please find the following resources for your references: Tested on ARM (Neoverse-N1) Cost 9: 5.175103 total (0.051751 per hash) Cost 10: 10.325875 total (0.103259 per hash) Cost 11: 20.627759 total (0.206278 per hash) Cost 12: 41.231114 total (0.412311 per hash) Cost 13: 82.437880 total (0.824379 per hash) Cost 14: 164.851835 total (1.648518 per hash) So 11 seems reasonable. Remi RFC Text: https://wiki.php.net/rfc/bcrypt_cost_2023 Discussion Thread: https://externals.io/message/121004 Feedback by a Hashcat team member on Fediverse: https://phpc.social/@tychotithonus@infosec.exchange/111025157601179075 Best regards Tim Düsterhus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php