View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007727 | OXID eShop (all versions) | 4.04. Security | public | 2024-09-27 10:37 | 2024-09-27 15:50 |
Reporter | michael_keiluweit | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | N/A |
Status | acknowledged | Resolution | open | ||
Summary | 0007727: Increase bcrypt cost | ||||
Description | PHP will increase the default cost value to 12 with PHP 8.4 of the bcrypt algorithm(*1). The current value was last changed in 2012 and the hardware became better by now. So it should be considered to increase our defined cost value as well(*2): https://github.com/OXID-eSales/oxideshop_ce/blob/c7fffe8b2143ad8dc4c7598a9baecec174ad77ba/source/Internal/Utility/Hash/services.yaml#L2 The cost can be changed without affecting the old hashes (*3), since the cost is part of the hash: cost 10: $2y$10$SqQvqdiFw3R3.hv6g5sq0.M6hlXIRmqNk8tShKCW/5zgX86XudM56 cost 12: $2y$12$fKcaDQwFvCQGcz1uEFADhuZ73e5D/AHo/n3gor8BJVuNFBpfewnj2Sources *1. https://wiki.php.net/rfc/bcrypt_cost_2023 *2. https://securinglaravel.com/security-tip-increase-your-bcrypt/ *3. https://symfony.com/doc/current/security/passwords.html#the-bcrypt-password-hasher | ||||
Additional Information | Tried the cost value of 12 on the academy machines and the page load was roughly 500 ms. | ||||
Tags | Security | ||||
Theme | Not defined | ||||
Browser | Not defined | ||||
PHP Version | Not defined | ||||
Database Version | Not defined | ||||