Maximum length of generated hash when using password_hash?

giozh picture giozh · Jan 31, 2014 · Viewed 15.1k times · Source

I'm using

password_hash($password, PASSWORD_BCRYPT);

to encrypt passwords to store in a database. As I read, there's no length limit on generated hashes, but I need to know the maximum length so I can use it to define the field in my database which can fit all password hashes (in a worst case scenario).

If I put a limit of 20 characters for the password in plain text, how long will the password_hash() result will be?

Answer

Tim Cooper picture Tim Cooper · Jan 31, 2014

From the password_hash documentation:

The following algorithms are currently supported:

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.

Therefore, using PASSWORD_BCRYPT, the result of password_hash will be a 60 character string.