CODEWITHSUNDEEP
phphashpasswordslaravelbcrypt
mtmacdonald
mtmacdonald

Reputation: 15070

Is there a maximum input length when using PHP bcrypt (via Laravel's Hash::make)?

When using Laravel's Hash::make() method (i.e. bcrypt):

I want to know if a password field in a user registration form should be validated against a maximum length or not. The form is handled like this:

public function action_register()
{
    $rules = array(
        'username' => 'required',
        'password' => 'required|min:10'
    );

    $validation = Validator::make(Input::all(), $rules);

    if($validation->passes())
    {
        $user = new User;
        $user->name = Input::get('name');
        $user->password = Input::get('password');
        $user->save();
        //todo - report success
    }
    else
    {
        //todo - report errors
    }
}

Upvotes: 3

Views: 5414

Answers (2)

inanimatt
inanimatt

Reputation: 702

Hashes are fixed (or at least maximum) length.

Strictly speaking, there's an upper limit to bcrypt password length, but nothing happens if you exceed it. It's 55 (or maybe 72, depending on who you ask) characters.

As mentioned, it's bad practice to restrict password length, but practically speaking you might want to truncate passwords to something like 1024 characters just to make sure no one plays silly-buggers with your server.

Upvotes: 5

SDC
SDC

Reputation: 14222

A hash algorithm can take a variable of any length (or type -- it doesn't even have to be a string), and outputs a computed "hash" of that variable.

Apart from passwords, another common use for hashes is to provide a verification key for a downloadable file -- ie "here's the download link, and here's a hash value for the file so you can prove that the copy you receive hasn't been tampered with". This is often used for files as big as CD or DVD images, so there definitely isn't any limit to the input length.

So the short answer is no, there is no need for a maximum length for your password field.

(in fact, hackers look for sites that specify a max length for passwords, on the assumption that this means they aren't hashing their passwords and are vulnerable to attack)

To answer the other part of your question: Yes, the computed hash value is always the same length, assuming you use the same hashing algorithm every time.

Upvotes: 1

Related Questions