When using Laravel’s Hash::make() method (i.e. bcrypt):
- is there a maximum input length for the secret?
- what happens if this length is exceeded?
- does the returned value always have the same length?
I want to know if a password field in a user registration form should be validated against a maximum length or not. The form is handled like this:
public function action_register()
{
$rules = array(
'username' => 'required',
'password' => 'required|min:10'
);
$validation = Validator::make(Input::all(), $rules);
if($validation->passes())
{
$user = new User;
$user->name = Input::get('name');
$user->password = Input::get('password');
$user->save();
//todo - report success
}
else
{
//todo - report errors
}
}
A hash algorithm can take a variable of any length (or type — it doesn’t even have to be a string), and outputs a computed “hash” of that variable.
Apart from passwords, another common use for hashes is to provide a verification key for a downloadable file — ie “here’s the download link, and here’s a hash value for the file so you can prove that the copy you receive hasn’t been tampered with”. This is often used for files as big as CD or DVD images, so there definitely isn’t any limit to the input length.
So the short answer is no, there is no need for a maximum length for your password field.
(in fact, hackers look for sites that specify a max length for passwords, on the assumption that this means they aren’t hashing their passwords and are vulnerable to attack)
To answer the other part of your question: Yes, the computed hash value is always the same length, assuming you use the same hashing algorithm every time.