Hey,
Is the 72-byte truncation a general bcrypt problem or specific to
password_hash()? Any concerns or a non-issue? Note
that some non-Latin
strings can only fit 24 chars in 72 bytes of UTF-8. Long enough for most
passwords, but some people like passphrases. :)
I have a 100 char password.
The Whirlpool algorithm by Tim would force password cracking software to do
a custom implementation for our hashes. It has very
similar work effort to
bcrypt, and should keep our passwords as safe as using bcrypt. The theory
behind it seems good, but obviously, we might discover a gaping hole in it
at some point.
I'm very concerned about implementing our own crypto. After all, the first
rule of crypto is to not roll your own.
Cheers
--
Jeroen De Dauw
http://www.bn2vs.com
Don't panic. Don't be evil. ~=[,,_,,]:3
--