On Sun, Feb 9, 2025, at 16:20, Kamil Tekiela wrote: > Hi, > > I would say that this is a pretty bad idea. 72 bytes of entropy are > quite a lot for *PASSWORDS*. Even if some users use a pass phrase > longer than that, the first 72 bytes are enough to provide sufficient > security. People who use it for other stuff, like in the linked > article, are only to blame themselves. They use the wrong tool for the > job. The limitation of bcrypt is very clearly documented[1]. > > Triggering a warning at runtime wouldn't be useful to the developer. > To avoid such a warning they would need to either reject passwords > longer than 72 bytes or truncate them before passing it to > password_hash. Both approaches provide no additional security or any > other value. That would only annoy either the developers or the users. > > Letting bcrypt use only the first 72 bytes is a very safe and easy > solution. No need to overcomplicate it. > > Regards, > Kamil > > [1]: > https://www.php.net/manual/en/function.password-hash.php#refsect1-function.password-hash-parameters >
I fully agree with you, however it is also the default password hashing algorithm. People may not read the docs and assume a generic implementation that isn’t constrained. Since it is the default and has constraints, we should probably at least warn people when they are using it wrong. They can then do whatever they want (ignore it, migrate to a different hashing algorithm, turn it into an exception, or adjust their inputs). — Rob
