6

I think I have reached the limit for crypt($string) at 72 chars. Here is the code:

<?php   
$p = '0123456789abcdefghij0123456789abcdefghij0123456789abcdefghij0123456789++';
var_dump($p);

$salt = '$2y$12$' . substr(str_replace('+', '.', 
            base64_encode(sha1(microtime(true), true))), 0, 22);
var_dump($salt);

$hash = crypt($p, $salt);
var_dump($hash);

var_dump($hash === crypt($p, $hash));
var_dump($hash === crypt($p.'a', $hash));
var_dump($hash === crypt($p.'-or-anthing else beyond this...', $hash));

Output is:

string(72) "0123456789abcdefghij0123456789abcdefghij0123456789abcdefghij0123456789++"
string(29) "$2y$12$nLe2d618C6YN0FQ0vODGvz"
string(60) "$2y$12$nLe2d618C6YN0FQ0vODGvutzCR5h0ngWmDSXtFdSt2dPAW5vgPd1e"
bool(true)
bool(true)
bool(true)

Is it normal behaviour that 72 char is the maximum input string?

Till Helge
  • 9,253
  • 2
  • 40
  • 56
Glavić
  • 42,781
  • 13
  • 77
  • 107

1 Answers1

7

Yes, after investigating a little, the bcrypt algorithm is limited to 72 characters. Anything beyond that gets truncated.

However, being a hashing algorithm designed for password hashing, I doubt you'll ever need to worry about that limitation.

Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
  • where can i read more about that limit? i really need to be sure, that 72 characters are the limit. can character be UTF-8/16/32 and still count as one character ? – Glavić Aug 03 '12 at 20:27
  • @glavi: Yes. `crypt` is binary safe. I did not find any official resources on that though. – Madara's Ghost Aug 03 '12 at 20:58
  • ok, i will limit password length input. thanks for your trouble. – Glavić Aug 03 '12 at 21:48
  • For a detailed explanation of why this is, check out the answer on the [Security Stack Exchange](http://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length) –  Feb 25 '16 at 04:05