Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:126362
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 7FF1A1A00BC
	for <internals@lists.php.net>; Sun,  9 Feb 2025 15:20:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1739114291; bh=hrSoQ0OTQWT0n9wSIRMSGa3PDJOOvTHiOsAKlDAR+t4=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=YGnP013ngmJ7tNLpFBKezOmAm/qnD/Jq8aZggVinKbTQBePG8IJzbMthyJM4mcnT9
	 +Deg92vZLsar8KwkNcVmgNrHmOFQX/GvDQz6afTnOWrCHbzlObRlNlGZ/aPGYsou4D
	 fxT0LgYxOjdQfKrqmvPGvby6CqNVinOxifdBQ6p94o4j0qvOJyGL/l+qq1KqTbJLK9
	 I0VmrUpG+8wvEWsmOsCe8etvOAek+9TdBRRIHLlU5FikE7aVctOgAZ+kxOUz4Wk40p
	 zgr8bf/ackbks5lSjxqUwhJ1Kwa2ufmT1G1pjWJJ0YwYfm5wy5cPBPxUerFTdBPPa/
	 89APU7tOPq82w==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2D53118007F
	for <internals@lists.php.net>; Sun,  9 Feb 2025 15:18:10 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <tekiela246@gmail.com>
Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  9 Feb 2025 15:18:09 +0000 (UTC)
Received: by mail-lj1-f170.google.com with SMTP id 38308e7fff4ca-308edbc368cso1984341fa.1
        for <internals@lists.php.net>; Sun, 09 Feb 2025 07:20:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1739114452; x=1739719252; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=hrSoQ0OTQWT0n9wSIRMSGa3PDJOOvTHiOsAKlDAR+t4=;
        b=A8sIZSonmLCqcDQMj3jWR4IXTE/ct8F72jOih2giAU8NuuAX8v/haStF9wYT4VgFnj
         Kf0GUwrQ549riVhRwprj5tOY7bXGQ6PeusupeNBCeG0v2gkuXhJ//lXinQZrmqzWQywQ
         NwVMcfxoH3wXhNUAUhmt2R52yyf23zPfdmANqHc8k/zEVrYy4GxFdSi2s9/hgzPd5erb
         jID5sU4QyAVCmYGlV1QhjuXBZFYLt8J8Fu8qf/9s+GhZqXsL6SH+1qE4vGegYqnL0tx8
         A3US7KqFMYB6uM8M3MUGzBEiMoj205Tkyj8JOg1JatbElrSY7dux7shjGMGLazFSSG/2
         5n+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739114452; x=1739719252;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=hrSoQ0OTQWT0n9wSIRMSGa3PDJOOvTHiOsAKlDAR+t4=;
        b=Y0wuQUkLdqu0ysOs5k7PeiEywrv7CJYOoR+e76MDaERkEtHEIJWP+PkBnIqMfJR4vk
         JKuTcQuq3LaTzZW7FfOiMtPxLhW38n0Pah9Ek10rIsgcIf4N3411QVeNoKj/iYIpLGG4
         5Syk7Ag52rodL9pHx2s+lwzmOctcQLVk8bFNSaBBQcIUgv0OFMc+BvOlZlxOtGb9k4mg
         uYpfhP7fKYqIPltkTq3fNGYTRNXUXrvPuC+PnIRtpNRMBqtmPS4czI0C1gTUjkVipzbp
         Y4U2UrNoVakvYwbNoLzzVL29W25u1HnygWPqhFZ75LJKwbgqEAI0tT3EF0+/q+REM0LR
         HXkQ==
X-Gm-Message-State: AOJu0YwwgLyfOX2nH478B8IkYEjguucNk/52edXxfHhXQ4aFpLfMl4mP
	5T2c8bezN7QrOXJiMceTp+vaEH9pHCkzuJBcoI0H/5sj06/u8i98oAebYtvFdkMFepYgroaOrxq
	TQOhdsslhtuvG95WLeLu8oiEhJwi6JV4jPWA=
X-Gm-Gg: ASbGncvu7scmqi+OmVS8EPx4sBfPlV+ekmP+wAOdsgRKUanpu2yhqwHFTh5gYso9rTD
	q1941/BV7V71vneayhschYPGxmJPFp/aIt+xZIomW0zbUDq//OYdyd+M6R5cyBp68DvZsYKQ8
X-Google-Smtp-Source: AGHT+IHrv0bLi7RkrDPhyAskDdNGT7HkJOYs4xVickK0V5lmIn43i3jvddf4PI2wAlv5j++rDAjMY8ZizMNUtxIs6iE=
X-Received: by 2002:a05:651c:198e:b0:307:95a1:2923 with SMTP id
 38308e7fff4ca-307e5801966mr38093721fa.14.1739114452160; Sun, 09 Feb 2025
 07:20:52 -0800 (PST)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
References: <4e41929c-fbd8-44f3-b72d-1b4e6526d001@app.fastmail.com>
In-Reply-To: <4e41929c-fbd8-44f3-b72d-1b4e6526d001@app.fastmail.com>
Date: Sun, 9 Feb 2025 15:20:40 +0000
X-Gm-Features: AWEUYZngzPexWKTayGF5c3lI7_W9_OXI0gRN_baFB9E1jBVMNsMc06PgphSw3Pw
Message-ID: <CAGBsUrdHOfCL3GpUi=7oOSs4G2f2jO5xNsqXTxi6NW78xv8cOQ@mail.gmail.com>
Subject: Re: [PHP-DEV] bcrypt warning on long passwords
To: Rob Landers <rob@bottled.codes>
Cc: internals@lists.php.net
Content-Type: text/plain; charset="UTF-8"
From: tekiela246@gmail.com (Kamil Tekiela)

Hi,

I would say that this is a pretty bad idea. 72 bytes of entropy are
quite a lot for *PASSWORDS*. Even if some users use a pass phrase
longer than that, the first 72 bytes are enough to provide sufficient
security. People who use it for other stuff, like in the linked
article, are only to blame themselves. They use the wrong tool for the
job. The limitation of bcrypt is very clearly documented[1].

Triggering a warning at runtime wouldn't be useful to the developer.
To avoid such a warning they would need to either reject passwords
longer than 72 bytes or truncate them before passing it to
password_hash. Both approaches provide no additional security or any
other value. That would only annoy either the developers or the users.

Letting bcrypt use only the first 72 bytes is a very safe and easy
solution. No need to overcomplicate it.

Regards,
Kamil

[1]: https://www.php.net/manual/en/function.password-hash.php#refsect1-function.password-hash-parameters