How long is the string returned by sodium_crypto_pwhash_str() in PHP? Does it vary with the plaintext? The options $opslimit and $memlimit? Basically, I want to know how long a database field to give it.
Asked
Active
Viewed 366 times
2 Answers
1
The maximum length of a hashed password is crypto_pwhash_STRBYTES, which is 128 bytes.
This constant is not exposed in the PHP bindings yet, but I'm going to add it soon.
Update: this has been added to the PECL extension.
Frank Denis
- 1,475
- 9
- 12
0
I've run some tests on sodium_crypto_pwhash_str() with rough timings. In the code below, tests 1, 2, and 3 are with passwords of 4, 40, and 400 characters. This did not make any difference to the timings or the hash length. Tests i, m, and s use the SODIUM_CRYPTO_PWHASH_*_INTERACTIVE, SODIUM_CRYPTO_PWHASH_*_MODERATE, and SODIUM_CRYPTO_PWHASH_*_SENSITIVE. This resulted in hashes of 97, 98, and 99 characters respectively. The *_SENSITIVE tests took about 6 times as long as the *_MODERATE tests. These latter took about 6 times as long as the *_INTERACTIVE tests.
Here is my test code.
$pass1 = bin2hex(openssl_random_pseudo_bytes(2));
$pass2 = bin2hex(openssl_random_pseudo_bytes(20));
$pass3 = bin2hex(openssl_random_pseudo_bytes(200));
$t = microtime(true);
$test1i = strlen(sodium_crypto_pwhash_str(
$pass1,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time1i = microtime(true) - $t;
$t = microtime(true);
$test1m = strlen(sodium_crypto_pwhash_str(
$pass1,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time1m = microtime(true) - $t;
$t = microtime(true);
$test1s = strlen(sodium_crypto_pwhash_str(
$pass1,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time1s = microtime(true) - $t;
$t = microtime(true);
$test2i = strlen(sodium_crypto_pwhash_str(
$pass2,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time2i = microtime(true) - $t;
$t = microtime(true);
$test2m = strlen(sodium_crypto_pwhash_str(
$pass2,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time2m = microtime(true) - $t;
$t = microtime(true);
$test2s = strlen(sodium_crypto_pwhash_str(
$pass2,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time2s = microtime(true) - $t;
$t = microtime(true);
$test3i = strlen(sodium_crypto_pwhash_str(
$pass3,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time3i = microtime(true) - $t;
$t = microtime(true);
$test3m = strlen(sodium_crypto_pwhash_str(
$pass3,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time3m = microtime(true) - $t;
$t = microtime(true);
$test3s = strlen(sodium_crypto_pwhash_str(
$pass3,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time3s = microtime(true) - $t;
$len1 = strlen($pass1);
$len2 = strlen($pass2);
$len3 = strlen($pass3);
$pLen1 = str_repeat(' ', 3 - strlen($len1)) . $len1;
$pLen2 = str_repeat(' ', 3 - strlen($len2)) . $len2;
$pLen3 = str_repeat(' ', 3 - strlen($len3)) . $len3;
printf("Pass length: %3s" .
'; I: %2d chars (%4.2f secs)' .
'; M: %2d chars (%4.2f secs)' .
'; S: %2d chars (%4.2f secs)' . PHP_EOL,
$len1, $test1i, $time1i, $test1m, $time1m, $test1s, $time1s);
printf("Pass length: %3s" .
'; I: %2d chars (%4.2f secs)' .
'; M: %2d chars (%4.2f secs)' .
'; S: %2d chars (%4.2f secs)' . PHP_EOL,
$len2, $test2i, $time2i, $test2m, $time2m, $test2s, $time2s);
printf("Pass length: %3s" .
'; I: %2d chars (%4.2f secs)' .
'; M: %2d chars (%4.2f secs)' .
'; S: %2d chars (%4.2f secs)' . PHP_EOL,
$len3, $test3i, $time3i, $test3m, $time3m, $test3s, $time3s);
One run gave me the following results:
Pass length: 4; I: 97 chars (0.06 secs); M: 98 chars (0.37 secs); S: 99 chars (2.24 secs)
Pass length: 40; I: 97 chars (0.06 secs); M: 98 chars (0.36 secs); S: 99 chars (2.22 secs)
Pass length: 400; I: 97 chars (0.06 secs); M: 98 chars (0.36 secs); S: 99 chars (2.18 secs)
However, I'm still less than fully comfortable with empirical coding. :-(
user3250335
- 457
- 2
- 4
- 13