php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #70615 72-character password limit
Submitted: 2015-10-01 17:52 UTC Modified: 2015-10-07 06:50 UTC
From: dave at qccareerschool dot com Assigned: sobak (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.13 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dave at qccareerschool dot com
New email:
PHP Version: OS:

 

 [2015-10-01 17:52 UTC] dave at qccareerschool dot com 
Description:
------------
---
From manual page: http://www.php.net/function.password-hash
---

>Caution
>Using the PASSWORD_BCRYPT for the algo parameter, will result in the password parameter being truncated to a maximum length of 72 characters.

Since PASSWORD_DEFAULT is currently set to PASSWORD_BCRYPT, does using PASSWORD_DEFAULT for the algo paramater _also_ result in a truncated password? It's not entirely clear. Maybe the section should be reworded to 

>Caution
>Using bcrypt will result in the password parameter being truncated to a maximum length of 72 characters.

or perhaps

>Caution
>Using PASSWORD_BCRYPT (and, by extension, PASSWORD_DEFAULT) for the algo parameter will result in the password parameter being truncated to a maximum length of 72 characters.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-06 08:13 UTC] sobak@php.net 
I would say that docs are clear. Current form is good, because we won't have to change the documentation once PASSWORD_DEFAULT value will change. Maybe:

> Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.

is better? Does removing explitic corelation with function parameter make it more readable in any way?
 [2015-10-06 13:14 UTC] dave at qccareerschool dot com 
>Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.

Oh yes this addresses the issue as I saw it.
 [2015-10-07 06:49 UTC] sobak@php.net 
Automatic comment from SVN on behalf of sobak
Revision: http://svn.php.net/viewvc/?view=revision&revision=337962
Log: Make the caution more clear (closes bug #70615)
 [2015-10-07 06:50 UTC] sobak@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: sobak
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Thu Jan 01 03:00:01 2026 UTC