Am 05.02.2014 23:03, schrieb Brion Vibber: > Is the 72-byte truncation a general bcrypt problem or specific to > password_hash()? Any concerns or a non-issue? Note that some non-Latin > strings can only fit 24 chars in 72 bytes of UTF-8. Long enough for most > passwords, but some people like passphrases. :) > > -- brion > http://security.stackexchange.com/a/39852 recommends to sha256 before password_hash, but better ask Bruce Schneier:
Yes, BCrypt has an upper limit of 72 characters. It's a limitation by the Blowfish cipher itself. One way to work around it is by using SHA-256 first and then BCrypt the result. In your case it would be something like hashpw(sha256('pass'), salt) _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l