One of my biggest concerns when developing an application has always been the performance it would have, especially on shared servers, on which most of my clients focus. Micro-optimizations are always welcome in my systems, as I follow the old philosophy of dictation: from grain to grain, the chicken fills up.
However, I recently focused on system security, where I felt a certain lack of attention on such an important factor.
I have always used sha1 and md5 to store the database, but recently I saw a story that said this technique is no longer recommended as there is a possibility of duplication and for being very easy to "break" both by brute force.
I then knew the password_hash function of php, which would be the "new" way of storing this information in the DB.
However, in my tests, I saw that this function is not very friendly to performance.
In the image above, the red indicator refers to the script using: sha1(md5($senha)) , and the blue indicator using password_hash($senha, PASSWORD_DEFAULT, ['cost' => 12]) .
Outstanding performance drop, reaching almost 80% .
I know that security is imperative, but: To what extent should it interfere with performance - hence user experience, which might have a slower server?
How to put both on the scale to maintain balance?