0

Test example you can see here: https://3v4l.org/elrB8 (1.1 - 1.3 sec), and the same code on the my server with PHP 5.6 run about 27-57 seconds.

What factors can cause a slowdown? Which PHP settings affect this function?

cost and PASSWORD_DEFAULT are same on both servers.

FlyBot
  • 196
  • 1
  • 4
  • 8
  • maybe interesting? [Generating Password Hash In PHP 5.5 And Setting Cost Option](http://stackoverflow.com/questions/13905857/generating-password-hash-in-php-5-5-and-setting-cost-option) – Ryan Vincent Jun 26 '16 at 12:26
  • Cost the same on both servers, but time is very different – FlyBot Jun 26 '16 at 12:31
  • 3
    Different server performance? Remember, it is designed to work the server hard. That is why it is slow. You need to be aware of the speed of the server you are running it on. You will likely need a different `cost` parameter on different servers. – Ryan Vincent Jun 26 '16 at 12:32

1 Answers1

4

That's what the cost parameter is for. More cost equals more hashing which takes you longer to calculate but also the potential cracker who wants to crack the password by brute-force.

So it is somewhat expected and wanted that password_hash takes longer than just a nanosecond, you have to play around with the cost a bit to see what works for you the best, but again, it shouldn't be too fast!

If I remember correctly, bcrypt is at the moment the default hasing-algorithm and the cost isn't linear for bcrypt. You'd see a exponential time-increase for a cost increase.

tkausl
  • 13,686
  • 2
  • 33
  • 50
  • but cost the same on both servers, but time is very different – FlyBot Jun 26 '16 at 12:29
  • 1
    Then the used algorithm might be a different one. Or one of the servers might just be busy doing other work or isn't as fast as the other one. – tkausl Jun 26 '16 at 12:31
  • More time does not produce "better hashing", the whole point of the cost factor is to take substantial time thus limiting the abilities of an attacker to brute-force the passwords. – zaph Jun 26 '16 at 14:51