PHP password_hash() password_verify() maximum password length?

What is the maximum password length I can use with PHP 5.5 password_hash() and password_verify()?

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

Ok, let’s go through this.

The function does have a password length limit. Just like all strings in PHP, it is limited to 2^31-1 bytes.

To be clear, there’s no way for PHP to deal with anything larger than that (today at least).

So the function itself is limited. But what about the underlying crypto algorithms.

BCrypt is limited to processing the first 72 characters of password. However, this is not commonly a problem as explained in this answer.

So in short, yes it does have an effective limit (it will only “use” the first 72 chars with the default and only algorithm), And no this is not a problem and nor should you try to “fix” or “mitigate” it.

Solution 2

password_hash itself doesn’t have a length limit.

Blowfish, however

has a 64-bit block size and a variable key length from 32 bits up to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes. In structure it resembles CAST-128, which uses fixed S-boxes. (Wikipedia)

Which means an effective limit of 56 characters when using CRYPT_BLOWFISH as the cipher (which is the default).

Solution 3

The function doesn’t have any limit, you just have to keep your memory_limit in mind, that should be all.

Edit: You should limit the password length, otherwise it could slow down your server (depending on the algo)
see django: https://www.djangoproject.com/weblog/2013/sep/15/security/

Edit 2: to clarify: there shouldn’t be a limit to 14-20 characters, it should be 4KB or more.

Solution 4

There should not be any length limitation to the password_hash function.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply