Background:
I want to add a login to my small site, which is an online php application that I would like to build in order to be able to perform more user activity in the future.
Before I start using LightOpenID, I want to add a regular login. The book I studied is called Head First PHP and MySQL (2008), and in the last chapter code is used SHA('$user_password')as part of the mysql query.
As I take an interest in Jeff Atwood's record, I am well aware of bcrypt as scrypt. But, having seen that there is no php implementation of scrypt and does not have a dedicated server to run it, I decided to at least study the implementation of bcrypt at the moment.
However, I'm not completely naive, I know that I must make sure that I do not overload my very modest hosting resources. The php application itself should always be the first in front of any other resources.
Andrew Moore's method seems nice (although I will have to see how to implement it on php 5.2.17, which my host uses), and it comes with a hint for hardware speed:
You must select the number of rounds, resulting in 200-250 ms Work. One of the reasons why bcrypt is secure is because it is slow. You must ensure that the number of rounds retains this characteristic. - Andrew Moore
Another user claims that for him, the launch microtime()gives 0.314 for Bcrypt (9), which, thus, will be almost optimal.
Question:
, , , php, Bcrypt (4) - ?
Bcrypt (4) true , , ? ( , GPU?) SHA512 - , ?
, Bcrypt (4) , , , ?: