Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
If you read up on https://www.php.net/manual/en/function.password-hash.php you get this code, but it appears to reference the bcrypt hash (unless I'm wrong).
<?php
/**
* This code will benchmark your server to determine how high of a cost you can
* afford. You want to set the highest cost that you can without slowing down
* you server too much. 8-10 is a good baseline, and more is good if your servers
* are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
* which is a good baseline for systems handling interactive logins.
*/
$timeTarget = 0.05; // 50 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost;
?>
On that page a comment mentioned this: https://tools.ietf.org/html/draft-irtf-cfrg-argon2-06#section-9.4
9.4. Recommendations: The Argon2id variant with t=1 and maximum available memory is recommended as a default setting for all environments. This setting is secure against side-channel attacks and maximizes adversarial costs on dedicated bruteforce hardware.
It's not clear if t=1 is time or threads.
//using php7.4 allows use of Argon2id
/*
|--------------------------------------------------------------------------
| Argon Options
|--------------------------------------------------------------------------
|
| Here you may specify the configuration options that should be used when
| passwords are hashed using the Argon algorithm. These will allow you
| to control the amount of time it takes to hash the given password.
|
*/
'argon2id' => [
'memory' => 1024,
'threads' => 2,
'time' => 2,
],
Do you have any experience here? How do you tune the algorithm options to your server?
On that same PHP docs page, you can see this..
Supported options for PASSWORD_ARGON2I and PASSWORD_ARGON2ID:
Which explains the supported options are memory_cost, time_cost and threads. Which leads me to believe t = threads.
So instead of your code, using PASSWORD_BCRYPT replace it with PASSWORD_ARGON2ID. Then you can pass the options (above) in,.
Hi @braunson ,
Thank you; I certainly will swap those out where they occur.
I was hoping to see if someone also "tunes" their argon2id hash options to their server. From what I gather, the first example enclosed in the OP is something you can use to "tune" your bcrypt hash algorithm to the unique constraints of your own server; you run that on the server and that script will give you a value to use for bycrpt rounds (I think).
It's not an area I know much about...there's only three posts I found on laracasts.com with argon2id. Not too much to go on yet.
Please or to participate in this conversation.