What is the maximum password length I can use with PHP 5.5 password_hash()
and password_verify()
?
PHP password_hash() password_verify() maximum password length?
5.1k views Asked by standac AtThere are 4 answers
The function doesn't have any limit, you just have to keep your memory_limit in mind, that should be all.
Edit: You should limit the password length, otherwise it could slow down your server (depending on the algo)
see django: https://www.djangoproject.com/weblog/2013/sep/15/security/
Edit 2: to clarify: there shouldn't be a limit to 14-20 characters, it should be 4KB or more.
password_hash
itself doesn't have a length limit.
Blowfish, however
has a 64-bit block size and a variable key length from 32 bits up to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes. In structure it resembles CAST-128, which uses fixed S-boxes. (Wikipedia)
Which means an effective limit of 56 characters when using CRYPT_BLOWFISH as the cipher (which is the default).
Ok, let's go through this.
The function does have a password length limit. Just like all strings in PHP, it is limited to 2^31-1 bytes.
To be clear, there's no way for PHP to deal with anything larger than that (today at least).
So the function itself is limited. But what about the underlying crypto algorithms.
BCrypt is limited to processing the first 72 characters of password. However, this is not commonly a problem as explained in this answer.
So in short, yes it does have an effective limit (it will only "use" the first 72 chars with the default and only algorithm), And no this is not a problem and nor should you try to "fix" or "mitigate" it.