Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121142 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 51942 invoked from network); 25 Sep 2023 19:55:30 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Sep 2023 19:55:30 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 9438C1804AA for ; Mon, 25 Sep 2023 12:55:29 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 25 Sep 2023 12:55:29 -0700 (PDT) Received: by mail-yb1-f178.google.com with SMTP id 3f1490d57ef6-d84c24a810dso8561636276.2 for ; Mon, 25 Sep 2023 12:55:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695671728; x=1696276528; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=X2JnL9F5zZkDSiB+zS/zeCxC2a95j8azSA8tYDsT3m4=; b=AugXYmuZzWqN8sJbh5TwozmPOdhMfCItEW/r+uMF2gi+zJNvpGLIWeamnwVAUuq7mX zVFzmUkYJEMXMo+XAiZl2t430pnqStPAFGZoFJR8QluE9yag6fp8hXhCNZl1m6PUC9gX aektg49Sq4riC1Fs2oy4IqPDi8BdPVz85hfvQrG/v1SE8QJo/8b01P7KT6tmg9FncadY DHpkd3BeAsspoAxKWCHQTTaubqa3n0ojDZdxD20B4lXHBN4ldtozfpVxbufoUlI3YKnK zprv+66qoCSOzBps/jvikbE8+wFifqw0sLy6KWf04Xg7zwuTUCRfqkV+0zgC9CxXdkjT at6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695671728; x=1696276528; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=X2JnL9F5zZkDSiB+zS/zeCxC2a95j8azSA8tYDsT3m4=; b=hYlCyeK1p1bplUOgi4IjUA+7rwaazEewZHQIR5apahYdDKCQ5DLdC14oQlKslz/rAf HBRKdzmoD5iU9U47kFdlFneU7HzeLL96HUkfjvM0oPlPMPdwpTZoEin4QgQxuaDT/Z7D n8mMyY7KExpOgRRXW9a7HhXEjZrwnMTjki3pxsFR0kutfhHjIbLEaQ4fv2mjO8kH9qhN kA8dhyDxssoSFLy1WYkdLQ+kC19IFz+am6U98pTblEXVdcYJZtd88YrI9denut0/ZUqj j2aMeJcb/e2oaqyv6RP7hcsRcPyT1l/h5P+oPfWcGE+owgkCqbqCTuAvf5fYnzfLaehI KY9w== X-Gm-Message-State: AOJu0YxB1TmyFNTidlLBcqpbjG0dF+QMA8bg+b8/ppsFeKPiEyWBJhr5 tcvjfQUbgC7tMiK6YiYcdMicc1AmD+FtaJFRtTA= X-Google-Smtp-Source: AGHT+IH/VFFUoDtz4IKan7LTZWanorDbltpkcB3yg9ls/khq+CIwV15lUbhS9GaBJIqG2F6WTkRjtIc5aoYhvJ0RZO4= X-Received: by 2002:a25:ac96:0:b0:d74:5f61:15b1 with SMTP id x22-20020a25ac96000000b00d745f6115b1mr6863000ybi.26.1695671728225; Mon, 25 Sep 2023 12:55:28 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 25 Sep 2023 20:55:17 +0100 Message-ID: To: Levi Morrison Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= , PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost From: tekiela246@gmail.com (Kamil Tekiela) Yes, BCrypt uses only the first 72 bytes for hash generation. You can test it with: var_dump(password_verify(str_repeat('a', 72).'sdfsdf', password_hash(str_repeat('a', 80), PASSWORD_BCRYPT))); But I would not consider this an issue. Users rarely create passwords longer than 72 bytes. 72 bytes is still a very long password and not easily guessable. What's more important is to have the minimum limit check. But why bother checking the 72 maximum if the algorithm won't complain about longer input? It doesn't impact security in any way.