This code will benchmark your server to determine how high of a cost you can afford. You want to set the highest cost that you can without slowing down you server too much. 8-10 is a good baseline, and more is good if your servers are fast enough. The code below aims for ≤ 50 milliseconds stretching time, which is a good baseline for systems handling interactive logins.
<?php
/**
* This code will benchmark your server to determine how high of a cost you can
* afford. You want to set the highest cost that you can without slowing down
* you server too much. 8-10 is a good baseline, and more is good if your servers
* are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
* which is a good baseline for systems handling interactive logins.
*
* Originallly from http://php.net/manual/en/function.password-hash.php
* Adapted by @Starbeamrainbowlabs <sbrl@starbeamrainbowlabs.com> (https://starbeamrainbowlabs.com) (https://github.com/sbrl/)
*/
$timeTarget = 0.08; // 80 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
//header("content-type: text/plain");
echo("Appropriate Cost Found: $cost");