How long should I make my key for php's hmac, when used with SHA512?

I'm using this code to hash passwords:

hash_hmac('sha512', $password . $salt, $hmac_key);
开发者_如何学C

Is 4096 bits enough for a key?

Thank you!

For password hashing? Sure. Just long enough salt will be enough.

You need to realise, what is the purpose of your using hash here. You're hashing passwords, so that if anyone gets hold of these hashes, they cannot infer original passwords from them. We use salts, so that brute force and rainbow table based attacks are less effective, and we make salts unique for each password, so that two users, using same passwords have different hashes. HMAC does not add anything to security here, except acting as kind of salt.

HMAC is relevant, when you use hashing function as a digital signature of message/file (the way php.net uses it one their downloads page for example). You use HMAC key, so that only people that know this key can verify authenticity of hashed content (as contrasted to php.net downloads, where everyone can check md5 of downloaded file) and to make it more difficult to spoof the message that produces same hash (you need to know the key, to know what hash to target)