Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

max length for user password field with "algorithm: auto"?

Symfony 4.3 deprecated the bcrypt algorithm, see UPGRADE-4.3.md:

Configuring encoders using argon2i or bcrypt as algorithm has been deprecated, use auto instead.

So I changed security.yaml to:

encoders:
    App\Entity\User:
        algorithm: auto

The problem is that, after changing to auto, the hashed string is longer:

'INSERT INTO users (..., password, ...) VALUES (...)' with params [..., "$argon2id$v=19$m=65536,t=6,p=1$d2RhZjVuaWJsSnE0TW5haA$ycOn7EHjPOoBTSa6SHDOBWL2AvwfPNjAstlSTEMmPpU", ...]:

SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'password' at row 1

This string is 97 characters long, while my password column was 64. I don't find any documentation about the maximum possible length with the "auto" attribute, is it 97? Or it can be more?

like image 244
the_nuts Avatar asked May 31 '19 11:05

the_nuts


1 Answers

As said by @Cerad in comments, the auto mode will likely always produce passwords that are supported by the password_hash() built-in PHP function (depending on the platform).
Therefore you can safely rely on the hint given by the password_hash() documentation:

PASSWORD_DEFAULT - [...] Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

like image 74
chalasr Avatar answered Nov 19 '22 23:11

chalasr