php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #75772 Incorrect limit specified on blowfish passwords
Submitted: 2018-01-07 11:55 UTC Modified: 2018-01-25 20:20 UTC
From: Thomas_Gnandt at gmx dot net Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Thomas_Gnandt at gmx dot net
New email:
PHP Version: OS:

 

 [2018-01-07 11:55 UTC] Thomas_Gnandt at gmx dot net
Description:
------------
The documentation states
"Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters."
This is not true. The password is being truncated to a maximum length of 72 bytes. Since passwords should contain special characters, a lot of which are multi-byte, this should be clarified.
This is incorrect both on the documentation for password_hash() as well as the documentation for crypt().

Test script:
---------------
$pw = str_pad("", 71, 'a');
$salt = ['salt' => 'N9qo8uLOickgx2ZMRZoMye'];
echo password_hash($pw . 'a', PASSWORD_DEFAULT, $salt ) . PHP_EOL;
echo password_hash($pw . 'ä', PASSWORD_DEFAULT, $salt ) . PHP_EOL;
echo password_hash($pw . 'ö', PASSWORD_DEFAULT, $salt ) . PHP_EOL;

Expected result:
----------------
Three differnt hashes

Actual result:
--------------
$2y$10$N9qo8uLOickgx2ZMRZoMye5mlC/WoAmNnGP3YkHGchsBkco85S4ZC
$2y$10$N9qo8uLOickgx2ZMRZoMyeWZPaNHNhngTN.zngPxYMmerH0ZknF7.
$2y$10$N9qo8uLOickgx2ZMRZoMyeWZPaNHNhngTN.zngPxYMmerH0ZknF7.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-25 20:20 UTC] vrana@php.net
-Status: Open +Status: Not a bug
 [2018-01-25 20:20 UTC] vrana@php.net
In PHP, character == byte.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Thu Jul 03 06:01:34 2025 UTC