-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow access to default cost parameter #50
Comments
Kinda makes sense, though I don't know how often people will actually end up being in that relatively small target demographic of "I want more cost than the default now, but php may bump the default cost up to more than mine later". |
This argument makes no sense to me at all. Either you care about fine-tuning bcrypt, or you don't. This idea of “I want to maximize security now, but in the future, I'll just go with whatever the default value is” seems rather weird to me. Personally, I see no reason for exposing the default cost factor. Either you rely on the function to take care of the right value. Or you pass your own carefully chosen value to it and update it as time goes by. |
Anecdotally, I've seen people bump the cost to 11 or 12 at the start of a new project, after reading a couple of blog posts suggesting that 10 isn't best practice any more. In all likelihood, this setting won't get changed in the application again (developers make configuration mistakes - they aren't perfect), but PHP's default will get updated. Overriding and having to maintain the default cost is a technical debt that some developers don't even consider but if a developer hears "10 is insecure, use 11 or 12" they're going to bump it up straight away. Realistically, I think "PHP may bump the default cost up to more than mine later" is very likely to start happening in a few years time; especially with legacy code and unsupported frameworks. Objectively, there is a use case for this and I can't see any downsides to users. However I understand there is work involved in developing this, so if the use case is perceived to be too small then feel free to close the issue. |
In a bcrypt implementation for an employer, I actually wrote a bit of logic to accommodate Moore's Law: $cost = 10 + ceil( (date('Y') - 2010) / 3); Using something like |
Fixed with #69 |
There currently doesn't seem to be a way to do something like this, which would be useful:
The use case here is wanting to bump the default cost now, but not be limited in case a new PHP version bumps the default cost.
This seems to be an issue with the native password API too, so apologies if this isn't the best place for the issue.
The text was updated successfully, but these errors were encountered: