Asked  2 Years ago    Answers:  5   Viewed   160 times

What is the maximum password length I can use with PHP 5.5 password_hash() and password_verify()?



Ok, let's go through this.

The function does have a password length limit. Just like all strings in PHP, it is limited to 2^31-1 bytes.

To be clear, there's no way for PHP to deal with anything larger than that (today at least).

So the function itself is limited. But what about the underlying crypto algorithms.

BCrypt is limited to processing the first 72 characters of password. However, this is not commonly a problem as explained in this answer.

So in short, yes it does have an effective limit (it will only "use" the first 72 chars with the default and only algorithm), And no this is not a problem and nor should you try to "fix" or "mitigate" it.

Thursday, August 4, 2022

I think your problem is you are trying to use a generic PHP object as a CodeIgniter library. You can't just do that. You'll need to modify the original code to work, or download one of the contributed libraries already designed for CodeIgniter.

CodeIgniter libraries have some restrictions (such as how they are instantiated), so just dropping any file into the libraries folder won't work.

Saturday, September 17, 2022

This algorithm is only available if PHP has been compiled with Argon2 support. - password_hash

If you want to use it whenever it is available, I would recommend to check with defined or else fallback to a default algorithm.

if(defined('PASSWORD_ARGON2ID')) {
    $hash = password_hash('password123', PASSWORD_ARGON2ID, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
} else {
    $hash = password_hash('password123', PASSWORD_DEFAULT, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
Monday, December 5, 2022

This is the reference pages I found when I googled : Link1 and Link2

If you are using MySQL Replication, be aware that, currently, a password used by a replication slave as part of a CHANGE MASTER TO statement is effectively limited to 32 characters in length; if the password is longer, any excess characters are truncated. This is not due to any limit imposed by the MySQL Server generally, but rather is an issue specific to MySQL Replication. (For more information, see Bug 43439.)

Fix documented in the 5.7.5 changelog, as follows:

The maximum length that can be used for the password in a CHANGE MASTER TO statement is 32 characters. Previously, when a longer password was employed, any excess length was silently truncated by the server. Now when the password's length exceeds 32 characters, CHANGE MASTER TO fails with an error.

So I would safely assume my password should not be more than 32 characters.

Tuesday, September 6, 2022
  1. The password hashing functions (such as password_hash) are preferred, as they automate more of the process, such as picking a salt, verifying passwords, and rehashing.

  2. The password_verify function will automatically detect what algorithm was used to generate a hash, so there's no compatibility issue.

  3. These functions are in a released version of PHP, so they should be fine to use.

  4. Use PHPass or a shim such as password_compat if your code needs to run on versions of PHP earlier than 5.5. Otherwise, use the password hashing functions.

Wednesday, November 30, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :

Browse Other Code Languages