|
I using bcrypt to create a password hash and in the php documentation it says
If I allow users to type more than 72 characters it's like I fooling them because they not using the passsword that they think that they use. So my question is do I need to set maximum length or not |
|||
|
|
|
Well Dmitry is right when he says 72 characters is good. If the characters are random enough. (1.78 bits per character). You can use the approach described (security warning that password is "too long"). Or simply limit password length (with security warning). If you expect your users to enter more than 72 characters, you could as well use SHA-512 to prehash the password, so you'd feed the hash into the bcrypt (as password) and not the actual password. There are no security issues with this approach. However it is non-standard, so if you do need to provide interopability with other applications (not yours) you can't use it. |
|||
|
|
|
I wouldn't worry about it. 72 characters is a quite decent password length, and password truncation is a common practice. Your users will trust you with many security options (like hash algorithm and the number of iterations) which affect security much more than password length. Implementing a warning wouldn't hurt though, that is, if you have nothing else to implement instead. |
|||||
|
