01523: performance impaired with php 8.4/bcrypt/'nopass'
Description: Hello. After upgrading to fed42 which uses php 8.4 I was seeing a ~3 second added latency to my pmwiki requests.
PHP 8.4 increased the overhead of bcrypt by raising the default algorithmic 'cost' from 10 to 12 (a 4-fold increase).
https://www.php.net/manual/en/function.password-hash.php (search 8.4.0)
https://wiki.php.net/rfc/bcrypt_cost_2023
I have 3 default passwords (admin/edit/read) which are all pre-hashed in my config (so not costing me anything there).
But it looks like the 'nopass' code in IsAuthorized is generating the overhead:
if ($AllowPassword && pmcrypt($AllowPassword, $pw) == $pw) # nopass
{ $auth=1; continue; }
For each of my default passwords this code executes pmcrypt; that call then executes a password_verify (which fails) and a crypt, which each take about the same time (half a sec).
So there are a total of 6 executions of the hash - a 3s overhead in total. This seems rather high.
An xdebug/kcachegrind graph of where the time goes:
oops - that link doesn't appear to render - it is meant to be: pasteboard.co/vCdGvCfB6f96.png
(I did find a workaround - which is to pre-hash the passwords using ad-hoc php code with a reduced cost value; this is then respected by pmcrypt when it does the nopass processing.)
Thanks, this is excellent work! I did notice some slowness on PHP 8.4 but assumed one of my addons was misbehaving and was hoping to find some time to examine this. The easiest workaround in config.php may be to set $AllowPassword to nothing:
$AllowPassword = '';
I'll think if we can remove this in the core - @nopass has been used instead of $AllowPassword since at least 2009. I'll also make $RehashedPassword optional. --Petko
So I refactored these functions and also cached the verified passwords as session variables. This should be in 2.5.0, released in the next few weeks. Please check the pre-release from ChangeLog if you can, and report any problems you notice. --Petko
Thanks, am doing so - looking good! Thanks a lot. Thom Jeera?