Am 05.02.2014 23:03, schrieb Brion Vibber:
Is the 72-byte truncation a general bcrypt problem or
specific to
password_hash()? Any concerns or a non-issue? Note that some non-Latin
strings can only fit 24 chars in 72 bytes of UTF-8. Long enough for most
passwords, but some people like passphrases. :)
-- brion
http://security.stackexchange.com/a/39852 recommends to sha256 before
password_hash, but better ask Bruce Schneier:
Yes, BCrypt has an upper limit of 72 characters. It's a limitation by
the Blowfish cipher itself. One way to work around it is by using
SHA-256 first and then BCrypt the result. In your case it would be
something like
hashpw(sha256('pass'), salt)