Hashing…Why do we need it? We need it to stop bad guys from stealing the passwords of our users in case they are able to steal our database records.
PHP 5.5 has a native password hashing API that you can use for hashing passwords. In this API, password_hash function provides the hashing capability that we need. One of the parameters it accepts is used for determining which algorithm to use. If you choose to use the Blowfish algorithm, then you can also provide a “cost” option. This cost option is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithm and must be in range 04-31. Meaning, as you increase the “cost” value, you generate hashes that are harder to crack.
Ok, enough with the basic info. Now, how do we define a maximum hash cost value? What is maximum? Why is it maximum hash cost your server can effort? “Maximum” may actually change from person to person. pasword_hash function will take longer time when you choose higher “cost” values. This, in turn, will result in longer login and registration times for your site and this is the point you should decide for your “maximum”.
They say it is generally a good idea to have a 50-100 milliseconds stretching time, the time it takes to generate the hash. Below is a piece of code you can use to determine the maximum hash cost your server can effort for PHP password_hash method with Blowfish algorithm. Create a .php file, paste this code inside and run it on your server.
You can change the $targetTime value and find your appropriate "maximum" cost value
$targetTime = 0.10; // 100 milliseconds
$cost = 8;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $targetTime);
echo "Your maximum appropriate cost is: " . $cost . "\n";
This code is for 100 milliseconds stretching time. You can decrease or increase it as you see fit to find your appropriate maximum cost value.
Hope this helps.