Merged
Conversation
The default cost has not changed since the initial checkin of the code in 2007. Computers have gotten faster in general and GPGPU password cracking became a thing. BCrypt::Engine.calibrate(250) returns 12 on my Intel Core i7-4870HQ.
Collaborator
|
Agreed — thanks! |
tjschuck
added a commit
that referenced
this pull request
Nov 13, 2018
sergey-alekseev
added a commit
to sergey-alekseev/devise
that referenced
this pull request
May 11, 2019
Test script
---
```ruby
require 'bcrypt'
require 'benchmark'
Benchmark.measure { BCrypt::Password.create('password', cost: 12) }
```
Test results
---
- [Intel(R) Core(TM) i5-7360U CPU @ 2.30GHz](https://ark.intel.com/content/www/us/en/ark/products/97535/intel-core-i5-7360u-processor-4m-cache-up-to-3-60-ghz.html): `#<Benchmark::Tms:0x00007fdd00a4eb30 @Label="", @real=0.21730700000080105, @CsTime=0.0, @cutime=0.0, @stime=0.00020399999999999585, @utime=0.21685199999999996, @ToTal=0.21705599999999997>`
- [Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz](https://ark.intel.com/content/www/us/en/ark/products/137979/intel-core-i7-8559u-processor-8m-cache-up-to-4-50-ghz.html): `#<Benchmark::Tms:0x00007fe91094fd30 @Label="", @real=0.17964200000278652, @CsTime=0.0, @cutime=0.0, @stime=7.399999999996298e-05, @utime=0.17950799999999845, @ToTal=0.1795819999999984>`
Other gems
---
- bcrypt-ruby which is used by devise [updated](bcrypt-ruby/bcrypt-ruby#181) their default cost to 12 (not released a gem version yet).
- rails has [a PR](rails/rails#35321) from the Rails core team member to update their `ActiveModel::SecurePassword` which powers `has_secure_password` default cost to 13 (not merged yet).
Previous changes
---
[Previous PR](heartcombo#3549) to increase the default stretches to 12 was created more than 4 years ago. That time the default stretches value [was increased](heartcombo@9efc601) from 10 to 11.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The default cost has not changed since the initial checkin of the code in 2007. Computers have gotten faster in general and GPGPU password cracking became a thing.
BCrypt::Engine.calibrate(250)returns 12 on my Intel Core i7-4870HQ (mid-2015 Macbook). Some people argued in 2015 already that this should be the default so I think this is a pretty safe value to go with without too much bikeshedding.