Comments (5)
Kinda makes sense, though I don't know how often people will actually end up being in that relatively small target demographic of "I want more cost than the default now, but php may bump the default cost up to more than mine later".
from password_compat.
This argument makes no sense to me at all.
Either you care about fine-tuning bcrypt, or you don't. This idea of βI want to maximize security now, but in the future, I'll just go with whatever the default value isβ seems rather weird to me.
Personally, I see no reason for exposing the default cost factor. Either you rely on the function to take care of the right value. Or you pass your own carefully chosen value to it and update it as time goes by.
from password_compat.
Anecdotally, I've seen people bump the cost to 11 or 12 at the start of a new project, after reading a couple of blog posts suggesting that 10 isn't best practice any more. In all likelihood, this setting won't get changed in the application again (developers make configuration mistakes - they aren't perfect), but PHP's default will get updated. Overriding and having to maintain the default cost is a technical debt that some developers don't even consider but if a developer hears "10 is insecure, use 11 or 12" they're going to bump it up straight away.
Realistically, I think "PHP may bump the default cost up to more than mine later" is very likely to start happening in a few years time; especially with legacy code and unsupported frameworks.
Objectively, there is a use case for this and I can't see any downsides to users. However I understand there is work involved in developing this, so if the use case is perceived to be too small then feel free to close the issue.
from password_compat.
In a bcrypt implementation for an employer, I actually wrote a bit of logic to accommodate Moore's Law:
$cost = 10 + ceil( (date('Y') - 2010) / 3);
Using something like max($cost, PASSWORD_BCRYPT_DEFAULT_COST)
would be useful if your threat model includes "the attacker is able to reset the clock to 1970", but mine doesn't.
from password_compat.
Fixed with #69
from password_compat.
Related Issues (20)
- password_verify fails for hashes from crypt() HOT 3
- mysqli_real_escape_string
- PASSWORD_ARGON2I Algo Support HOT 1
- Password verify issues HOT 1
- php7 Compatibility problem HOT 5
- PHPCompatibility ruleset for password_compat
- Trouble with PHP 5.6 & Password Verify HOT 1
- A HOT 1
- A
- Function not outputting the same hash as built-in function HOT 8
- E_USER_ERROR vs warning HOT 1
- function_exists('PasswordCompat\\binary\\_strlen') needed? HOT 4
- password_hash("foo") returning false on 5.3.2-1ubuntu4.30 HOT 7
- Cannot verify the password after hashing HOT 1
- Suggestion: use *.phpt tests from php-src to improve compatibility
- Problem with verifiying the hashed password HOT 3
- Using the project on a newer version of PHP HOT 2
- This Repo HOT 7
- use password_compact in codeigniter HOT 2
- This lib on php 5.5 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from password_compat.