Menu
I'm using
password_hash($password, PASSWORD_BCRYPT);
to encrypt passwords to store in a database. As I read, there's no length limit on generated hashes, but I need to know the maximum length so I can use it to define the field in my database which can fit all password hashes (in a worst case scenario).
If I put a limit of 20 characters for the password in plain text, how long will the password_hash() result will be?
847
Is password_hash good enough?" Yes it is safe enough, and yes there is a better/safer way. As of PHP 7.2, Argon2 is part of a newly implemented (hashing) method that won the Password Hashing Competition which offers a more robust method, should you want to upgrade your version of PHP to 7.2.
128 bits is plenty. Keep in mind that the security of your system is only as strong as the weakest link. The weakest link, in this case, is almost certainly the entropy of the user's password. Most users choose poor passwords that are readily guessable.
bcrypt has a maximum length input length of 72 bytes for most implementations. To protect against this issue, a maximum password length of 72 bytes (or less if the implementation in use has smaller limits) should be enforced when using bcrypt.
Description. password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().
From the password_hash documentation:
The following algorithms are currently supported:
PASSWORD_DEFAULT- Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
PASSWORD_BCRYPT- Use theCRYPT_BLOWFISHalgorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
Therefore, using PASSWORD_BCRYPT, the result of password_hash will be a 60 character string.
187
The result of BCrypt will always be a 60 character string. Limitless is only the input for the function, that means you do not (and should not) set a limit to the entered passwords.
Actually BCrypt internally uses only about 72 characters, but it accepts passwords of any length.
If you want to use the function in its future proof form like this (notice the PASSWORD_DEFAULT)...
password_hash($password, PASSWORD_DEFAULT);
...then you should make your database field bigger. Newer PHP versions may replace BCrypt with another default hash algorithm, which may generate longer hashes.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
