I had a quick look at the tutorial and it contains some quite odd
info, it seems to me. Specifically:
// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($password) > 72) { die("Password must be 72 characters or less"); }
phpass uses crypt internally to hash with blowfish, if you don't use a
portable hash. When you hash long passwords with crypt using blowfish,
it looks like this:
<?php
$string0 = str_repeat('a', 71);
$string1 = str_repeat('a', 72);
$string2 = str_repeat('a', 73);
$salt = base64_encode('saltsaltsaltsalt');
// outputs $2a$12$c2FsdHNhbHRzYWx0c2Fsd.a9Quc5HIlkY/PQQC5zvUxS93pwHM8Km
echo crypt($string0, '$2a$12$' . $salt) . PHP_EOL;
// outputs $2a$12$c2FsdHNhbHRzYWx0c2Fsd.BRTZE5ipSuMcmxypumwDipO8f1ahMyG
echo crypt($string1, '$2a$12$' . $salt) . PHP_EOL;
// outputs $2a$12$c2FsdHNhbHRzYWx0c2Fsd.BRTZE5ipSuMcmxypumwDipO8f1ahMyG
echo crypt($string2, '$2a$12$' . $salt) . PHP_EOL;
Notice that crypt happily hashes all three strings - and,
problematically, hashes $string1 and $string2 to the same hash. The
actual problem of using long passwords with blowfish is that
information is thrown away - not a DoS exploit. Also, given the
comments, it seems the blog author doesn't quite know how crypt/phpass
works - suggesting that a longer password takes more cpu to hash,
which is not the case (same time spent hashing a 72 char password as a
7200000 char one). Digging through google, it seems this bit of info
actually comes from the author of phpass, which is odd ...
Anyway, this is all just in the way of saying: a better example would be good :)