-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SR] Increase password hashing iterations (BACKDROP_HASH_COUNT
)
#5810
[SR] Increase password hashing iterations (BACKDROP_HASH_COUNT
)
#5810
Comments
BACKDROP_HASH_COUNT
)
...so let the bikeshedding begin 😅 It seems to me that if we increased the current value from 16 to either 17 or 18, the change would be negligible. Some might argue that that applies to 19 or even 20. But if we go to 21 iterations, we'd be increasing the time from less than 2sec to 5sec+, which might be more noticeable. |
There's also a whole different bike shed in https://www.drupal.org/project/drupal/issues/1845004 phpass's author recommends:
https://www.openwall.com/phpass/ Perhaps if you can, you should.. rather than tweaking the custom phpass implementation which I believe pre-dated the availability of a decent native alternative in PHP. |
I have filed 4 PRs (increasing the number of iterations from 16 to 17, 18, 19, and 20), to compare how this might affect our test times. Here are the results of total runtime (with sums of the 3 parts of each php version test + a total for all tests):
This is indicative of course, since the test parts run in parallel. So actual time is less than those on the table. Feel free to re-run the PRs to get fresh results. This is on GitHub shared server hardware (so times I imagine are subject to current platform load etc.), but it is real-life test runs nevertheless. I was planing to purchase a Pi for some time now, so I'll do that when I'm back to Melbourne next week, and test there soon as I get it and set it up. I will also test on a single-CPU Nanode. I believe that benchmarking on a ~$130-$150AUD hardware and $5US/month hosting should be acceptable as current "minimal" (*). (*) trying to keep in mind people in less fortunate parts of the world or from different socio-economic backgrounds, for whom I understand that these may be considerable amounts of money - not being disrespectful. |
This was brought up in #5655, but since that issue may prove tricky(ier), I'm splitting this task here into its own issue, to see if we can do it sooner.
There is a respective issue in d.o: https://www.drupal.org/project/drupal/issues/3110670, where @mcdruid has performed a benchmark to test how bigger numbers of iterations affect execution time, in which it was concluded that it is OK to increase the iterations, but not too much.
The text was updated successfully, but these errors were encountered: