I have been doing some research on creating some different hashes, etc. I am aware of the password_hash()
function, however I'm currently creating an initialization value using mcrypt. The issue that is arising is some of the hashed password being clipped if the password is larger than 8 characters.
My current code adds a salt (created by mcrypt_create_iv()
) to a users password. Afterwards it is encrypted using the hash() function. The criteria for a password is anywhere from 8->40 characters.
My column in MySQL looks like varchar (64) using latin1_swedish_ci collation.
How would I calculate the maximum length (MySQL length) that the initialization value could be, as well as the maximum length for the user-inputted password?
Disclaimer: I purposefully left out the encryptions, but will appreciate any documentation for different cipher block init value lengths as well as hash lengths. (Not sure the terminology, hope that makes sense.)
Hash functions as well as password_hash()
- which implements different Password Based Key Derivation Functions (PBKDF) using either a HMAC or a ciphered MAC - always return the same amount of data for any input value. If the password is being truncated then that is because of code that happens before any of these functions is called. Normally these functions return 20 bytes if you use SHA-1.
Of course the salt value needs to be stored as well.
If you store that using hexadecimals then you need twice the number of characters compared to the binary value. If you utilize base 64 encoding you need ( (size + 2) / 3 * 4
) characters if you include padding.
So your password can be as long or short as wanted, the salt takes one byte (encoding) per byte.
It is strongly recommended that you also store some kind of indicator of the function used. That may be a single byte indicating your current protocol. That way you can upgrade your password protocol per entry once a user returns to fill out his (new) password.