Changes between Initial Version and Version 1 of Ticket #50027, comment 19
- Timestamp:
- 10/13/2023 01:11:52 AM (11 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #50027, comment 19
initial v1 6 6 Imagine getting ~20 logins at a time (a server hosting many websites, or maybe someone sends an email to a few thousand customers); with a cost of 10, that will slow down requests for every other non-login page, e.g. from ~0.09 seconds to ~1.1 seconds, while not good, it's still manageable; cost of 11 takes that to ~2.1 seconds; cost of 12 goes to ~4.2 seconds (timings from a simple `ab -n 200 -c 20` to call password_hash, and `while true; do curl -o /dev/null -s -w '%{time_total}\n'` to time a basic page while this is running)... that said, a denial of service **attack** is a different consideration (i.e. don't allow hundreds of requests from a single source). 7 7 8 3. Maybe we should also use `normalizer_normalize($password, Normalizer::FORM_KD)`, ref [https://www.quora.com/Why-are-high-ANSI-characters-not-allowed-in-passwords/answer/Jeffrey-Goldberg UTF normalization], and [https://pages.nist.gov/800-63-3/sp800-63b.html 800-63B, section 5.1.1.2].8 3. Maybe we should also use `normalizer_normalize($password, Normalizer::FORM_KD)`, ref [https://www.quora.com/Why-are-high-ANSI-characters-not-allowed-in-passwords/answer/Jeffrey-Goldberg UTF normalization], and [https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver 800-63B, section 5.1.1.2].