So hackers are trying to guess just the Password, and obviously, a shorter Password is easier to guess than a long one, right?
And the fact that a Password of Length=2 or Length=200 gets reduced to a Hash Length=40 shouldn't really be a concern of mine, right?
But tell me more about these "collisions"?
If "password123" and "cotton candy" both resolve to "1234567890xxxxxxxxxx1234567890yyyyyyyyyy", then do I have to worry that User 1 could hack into User 2's account?
And could that collision break my PHP code or my database?
I guess I am not understanding where this would cause issues? :-/
So in that case a longer password really does make it more secure because there are lot more possibilities that with a shorter password. For simplicity sake if you only consider letters (lower and upper case) and numbers, every position you add to the password multiplies the number of possibilities a hacker has to go to by 62, and in general the number of possibilities is 62^(number of characters). Use some graph software to draw that function, see what happens
Do you use pass-phrases?
If so, how long on average?
And if so, can you share in general terms the "formula" you use to achieve a level of security that you are happy with?
For example, would a Pass-Phrase like this be good enough for starters...
"I love spending my Saturday's at the library"