PHP / MySQL: What data type to chose for encrypted passwords (bcrypt, max. 100 char)

Question

I use the following to encrypt a password before storing it in a MySQL db.

Currently I have limited the password to a length of max. 20 characters since I wasn't sure if longer passwords could cause issues here due to the encryption output.

In PHP I use the following for the encryption:

$pw = password_hash($_POST["pw"], PASSWORD_BCRYPT);

The password is being trimmend on the client side before being passed on.

Can someone tell me if CHAR(60) is enough to cover for passwords with up to 100 characters (numbers, upper case and lower case letters, special characters) ?

Also, is there a common max. character limit that should be set for passwords - without increasing vulnerability ? I learned that some people definitely want to use longer passwords like short phrases etc.

Answer 1

As the name says, the function password_hash() will calculate a hash of the password. This hash is always of the same length, regardless of the length of the password. So there is no reason to limit the length of the password, accept passwords of any length, only require a minimum length.

Currently the function will calculate a BCrypt hash, its output will always be 60 characters. A database field of char(60) would therefore be enough to store the hashes.

The used hash algorithm can change in future though, to cope with future threats. That's why the manual recommends to use the parameter PASSWORD_DEFAULT and a field of varchar(255). This gives the function the necessary room to be future-proof.

$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);