PHP password_hash() password_verify() maximum password length?

StackOverflow https://stackoverflow.com/questions/18793298

  •  28-06-2022
  •  | 
  •  

Frage

What is the maximum password length I can use with PHP 5.5 password_hash() and password_verify()?

War es hilfreich?

Lösung

Ok, let's go through this.

The function does have a password length limit. Just like all strings in PHP, it is limited to 2^31-1 bytes.

To be clear, there's no way for PHP to deal with anything larger than that (today at least).

So the function itself is limited. But what about the underlying crypto algorithms.

BCrypt is limited to processing the first 72 characters of password. However, this is not commonly a problem as explained in this answer.

So in short, yes it does have an effective limit (it will only "use" the first 72 chars with the default and only algorithm), And no this is not a problem and nor should you try to "fix" or "mitigate" it.

Andere Tipps

password_hash itself doesn't have a length limit.

Blowfish, however

has a 64-bit block size and a variable key length from 32 bits up to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes. In structure it resembles CAST-128, which uses fixed S-boxes. (Wikipedia)

Which means an effective limit of 56 characters when using CRYPT_BLOWFISH as the cipher (which is the default).

The function doesn't have any limit, you just have to keep your memory_limit in mind, that should be all.

Edit: You should limit the password length, otherwise it could slow down your server (depending on the algo)
see django: https://www.djangoproject.com/weblog/2013/sep/15/security/

Edit 2: to clarify: there shouldn't be a limit to 14-20 characters, it should be 4KB or more.

There should not be any length limitation to the password_hash function.

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top