The other day, I was directed at an interesting question on StackOverflow asking if password_verify() was safe againt DoS attacks using extremely long passwords. Many hashing algorithms depend on the amount of data fed into them, which affects their runtime. This can lead to a DoS attack where an attacker can provide an exceedingly long password and tie up computer resources. It's a really good question to ask of Bcrypt (and password_hash). As you may know, Bcrypt is limited to 72 character passwords. So on the surface it looks like it shouldn't be vulnerable. But I chose to dig in further to be sure. What I found surprised me.
more here........http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html
more here........http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html