password_lock icon indicating copy to clipboard operation
password_lock copied to clipboard
verified publisher icon paragonie

Hash Length

Open ben182 opened this issue 8 years ago • 2 comments

The hashAndEncrypt function will always return a 288 character string - is that correct? Just for my database field.

ben182 avatar May 07 '17 08:05 ben182

Don't rely on it. In library is used PASSWORD_DEFAULT which is bcrypt. But from php 7.2 it is argon2. In php documentation is recommended 255 chars for password_hash. So encrypt 255 chars and output string length is what you need

mabar avatar May 07 '17 15:05 mabar

The password default didn't change with PHP 7.2, Argon2 has just been introduced as an additional option. Password defaults can only change to an algorithm that's been in the language for more than two years, so earliest with PHP 7.4.

It's probably best to go with a variable width field of 255 bytes encrypted, yes.

kelunik avatar Mar 11 '18 14:03 kelunik