Am 05.02.2014 23:03, schrieb Brion Vibber:
> Is the 72-byte truncation a general bcrypt problem or specific to
> password_hash()? Any concerns or a non-issue? Note that some non-Latin
> strings can only fit 24 chars in 72 bytes of UTF-8. Long enough for most
> passwords, but some people like passphrases. :)
>
> -- brion
>
http://security.stackexchange.com/a/39852 recommends to sha256 before
password_hash, but better ask Bruce Schneier:
Yes, BCrypt has an upper limit of 72 characters. It's a limitation by
the Blowfish cipher itself. One way to work around it is by using
SHA-256 first and then BCrypt the result. In your case it would be
something like
hashpw(sha256('pass'), salt)
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
