View Issue Details

IDProjectCategoryView StatusLast Update
0007727OXID eShop (all versions)4.04. Securitypublic2024-10-30 07:53
Reportermichael_keiluweit Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status confirmedResolutionopen 
Summary0007727: Increase bcrypt cost
DescriptionPHP will increase the default cost value to 12 with PHP 8.4 of the bcrypt algorithm(*1). The current value was last changed in 2012 and the hardware became better by now. So it should be considered to increase our defined cost value as well(*2): https://github.com/OXID-eSales/oxideshop_ce/blob/c7fffe8b2143ad8dc4c7598a9baecec174ad77ba/source/Internal/Utility/Hash/services.yaml#L2

The cost can be changed without affecting the old hashes (*3), since the cost is part of the hash:
cost 10: $2y$10$SqQvqdiFw3R3.hv6g5sq0.M6hlXIRmqNk8tShKCW/5zgX86XudM56
cost 12: $2y$12$fKcaDQwFvCQGcz1uEFADhuZ73e5D/AHo/n3gor8BJVuNFBpfewnj2
Sources
*1. https://wiki.php.net/rfc/bcrypt_cost_2023
*2. https://securinglaravel.com/security-tip-increase-your-bcrypt/
*3. https://symfony.com/doc/current/security/passwords.html#the-bcrypt-password-hasher
Additional InformationTried the cost value of 12 on the academy machines and the page load was roughly 500 ms.
TagsSecurity
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined

Activities

There are no notes attached to this issue.