Hi, I would say that this is a pretty bad idea. 72 bytes of entropy are quite a lot for *PASSWORDS*. Even if some users use a pass phrase longer than that, the first 72 bytes are enough to provide sufficient security. People who use it for other stuff, like in the linked article, are only to blame themselves. They use the wrong tool for the job. The limitation of bcrypt is very clearly documented[1].
Triggering a warning at runtime wouldn't be useful to the developer. To avoid such a warning they would need to either reject passwords longer than 72 bytes or truncate them before passing it to password_hash. Both approaches provide no additional security or any other value. That would only annoy either the developers or the users. Letting bcrypt use only the first 72 bytes is a very safe and easy solution. No need to overcomplicate it. Regards, Kamil [1]: https://www.php.net/manual/en/function.password-hash.php#refsect1-function.password-hash-parameters
