I'd like to store an scrypt-hashed password in a database. What is the maximum length I can expect?

According to https://github.com/wg/scrypt the output format is $s0$params$salt$key where:

• s0 denotes version 0 of the format, with 128-bit salt and 256-bit derived key.
• params is a 32-bit hex integer containing log2(N) (16 bits), r (8 bits), and p (8 bits).
• salt is the base64-encoded salt.
• key is the base64-encoded derived key.

According to https://stackoverflow.com/a/13378842/14731 the length of a base64-encoded string is where n denotes the number of bytes being encoded.

Let's break this down:

• The dollar signs makes up 4 characters.
• The version numbers makes up 2 characters.
• Each hex character represents 4 bits ( log2(16) = 4 ), so the params field makes up (32-bit / 4 bits) = 8 characters.
• The 128-bit salt is equivalent to 16 bytes. The base64-encoded format makes up (4 * ceil(16 / 3)) = 24 characters.
• The 256-bit derived key is equivalent to 32 bytes. The base64-encoded format makes up (4 * ceil(32 / 3)) = 44 characters.

Putting that all together, we get: 4 + 2 + 8 + 24 + 44 = 82 characters.

In Colin Percival's own implementation, the tarsnap scrypt header is 96 bytes. This comprises:

• 6 bytes 'scrypt'
• 10 bytes N, r, p parameters
• 32 bytes salt
• 16 bytes SHA256 checksum of bytes 0-47
• 32 bytes HMAC hash of bytes 0-63 (using scrypt hash as key)

This is also the format used by node-scrypt. There is an explanation of the rationale behind the checksum and the HMAC hash on stackexchange.

As a base64-encoded string, this makes 128 characters.