Maximum length of generated hash when using password_hash?

Question

I\'m using

password_hash($password, PASSWORD_BCRYPT);

to encrypt passwords to store in a database. As I read, there\'s no length limit on

Answer 1

The result of BCrypt will always be a 60 character string. Limitless is only the input for the function, that means you do not (and should not) set a limit to the entered passwords.

Actually BCrypt internally uses only about 72 characters, but it accepts passwords of any length.

If you want to use the function in its future proof form like this (notice the PASSWORD_DEFAULT)...

password_hash($password, PASSWORD_DEFAULT);

...then you should make your database field bigger. Newer PHP versions may replace BCrypt with another default hash algorithm, which may generate longer hashes.