Bcrypt's password length limit of 72 bytes

[janko]

I recently encountered this article, which warns that passwords longer than 72 bytes will be truncated when hashed via bcrypt. So, I was wondering whether Rodauth should validate maximum password length by deafult when using bcrypt. This would have to be adjusted in the password pepper feature to account for the pepper length, and can be removed for argon2, which effectively doesn't have a limit.

[jeremyevans]

Yes, this is a known issue with bcrypt. 72 bytes is generally going to be way more than enough to ensure security, so the only time this would be an issue is if:

1. You are using a password longer than 72 bytes
2. You have a security issue where the majority of the first 72 bytes of the password (enough to make attacks on the password feasible, but without the full password) are disclosed.

If your password is less than 72 bytes, this isn't an issue. If your password is fully disclosed, you would be vulnerable anyway. Either of those two cases seems unlikely, and the combination seems exceptionally rare. However, I don't have a problem with adding a password_maximum_length to login_password_requirements_base and defaulting it to 72 if require_bcrypt? (with similar changes to password_pepper).

[janko]

Thank you for the reply. I was mostly concerned for passwords in languages where characters use multiple bytes; e.g. for 4-byte characters the upper limit could be as low as 18 characters. However, I'm not sure how common is this, especially with the rise of password managers.

The same Devise issue didn't get much traction so far, so it's questionable how problematic this is in practice. It's also possible to easily circumvent this limit by hashing the password before:

password_hash { |password| Digest::SHA256.hexdigest(password) }

Adding a maximum limit now could be backwards incompatible for any applications doing this, at least from the UX perspective. So, at this time I don't feel strongly about adding an upper limit to Rodauth, as people can either use the workaround above, or use argon2.

[jeremyevans]

Adding a maximum password length wouldn't affect people trying to login with longer passwords, it would only affect new users or users trying to change their password to something longer than 72 bytes. Maybe I can add a maximum password length configuration variable, but default it to nil, so by default there is no limit. That way, if people are really concerned about this, they can add the limit themselves. We already have a maximum login length (defaults to 255), so supporting a maximum password length seems consistent with that.

[jeremyevans]

I added support for a maximum password length in a0e3594. I found that the current maximum login length was enforced as characters, but most databases will enforce it in bytes. Additionally, since bcrypt only uses the first 72 bytes, so we should probably have a separate limit for bytes. So I added the ability to enforce maximum bytes for both logins and passwords as well.

[janko]

Looks great, thank you for adding support for this!