Asked  7 Months ago    Answers:  5   Viewed   48 times

What is the maximum password length I can use with PHP 5.5 password_hash() and password_verify()?

 Answers

41

Ok, let's go through this.

The function does have a password length limit. Just like all strings in PHP, it is limited to 2^31-1 bytes.

To be clear, there's no way for PHP to deal with anything larger than that (today at least).

So the function itself is limited. But what about the underlying crypto algorithms.

BCrypt is limited to processing the first 72 characters of password. However, this is not commonly a problem as explained in this answer.

So in short, yes it does have an effective limit (it will only "use" the first 72 chars with the default and only algorithm), And no this is not a problem and nor should you try to "fix" or "mitigate" it.

Wednesday, March 31, 2021
 
rblarsen
answered 7 Months ago
75

I think your problem is you are trying to use a generic PHP object as a CodeIgniter library. You can't just do that. You'll need to modify the original code to work, or download one of the contributed libraries already designed for CodeIgniter.

CodeIgniter libraries have some restrictions (such as how they are instantiated), so just dropping any file into the libraries folder won't work.

Wednesday, March 31, 2021
 
barden
answered 7 Months ago
67

EDIT: As of PHP 5.5.0 this function is now bundled into the core library.


This function is not (yet anyway) available in core PHP. It was proposed not that long ago and so far you can only get it as a patch.

You can use crypt or hash instead. crypt is actually suggested in hash_pbkdf2 documentation:

Caution
The PBKDF2 method can be used for hashing passwords for storage (it is NIST approved for that use). However, it should be noted that CRYPT_BLOWFISH is better suited for password storage and should be used instead via crypt().

Saturday, May 29, 2021
 
shin
answered 5 Months ago
51

This algorithm is only available if PHP has been compiled with Argon2 support. - password_hash

If you want to use it whenever it is available, I would recommend to check with defined or else fallback to a default algorithm.

if(defined('PASSWORD_ARGON2ID')) {
    $hash = password_hash('password123', PASSWORD_ARGON2ID, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
} else {
    $hash = password_hash('password123', PASSWORD_DEFAULT, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
}
Saturday, May 29, 2021
 
Indranil
answered 5 Months ago
73

This is the reference pages I found when I googled : Link1 and Link2

If you are using MySQL Replication, be aware that, currently, a password used by a replication slave as part of a CHANGE MASTER TO statement is effectively limited to 32 characters in length; if the password is longer, any excess characters are truncated. This is not due to any limit imposed by the MySQL Server generally, but rather is an issue specific to MySQL Replication. (For more information, see Bug 43439.)

Fix documented in the 5.7.5 changelog, as follows:

The maximum length that can be used for the password in a CHANGE MASTER TO statement is 32 characters. Previously, when a longer password was employed, any excess length was silently truncated by the server. Now when the password's length exceeds 32 characters, CHANGE MASTER TO fails with an error.

So I would safely assume my password should not be more than 32 characters.

Friday, September 17, 2021
 
ar.gorgin
answered 1 Month ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :