Wireless Army
This is a blog / tips and tricks website for web developers and security researchers.
follow us in feedly


calculate cost for password
by admin
 at 2017-04-08 20:04:00.

if you are making a site with login and password, you don't want the logins make your server load go high

$options = [
'cost' => 12,
'salt' => mcrypt_create_iv(16, MCRYPT_DEV_URANDOM),
];
$hashed_password = password_hash($password, PASSWORD_BCRYPT, $options);

This code will benchmark your server to determine how high of a cost you can afford. You want to set the highest cost that you can without slowing down you server too much. 8 -10 is a good baseline, and more is good if your servers are fast enough. The code below aims for ≤ 50 milliseconds stretching time, which is a good baseline for systems handling interactive logins.

$timeTarget = 0.05; // 50 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost . "\n";