Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix bcrypt hard limit on passwords to 71 bytes (#5356)
Despite the original bcrypt paper claiming passwords must be a
maximum of 56 bytes, the implementations are compatible to up to 72
bytes.

Since increasing the limit doesn't break compatibility, but other
implementations allow as many as 72 bytes, let's increase the
arbitrary limitation of 51 characters (which was wrong anyway) to 72
bytes, minus the leading null byte, that is a password of 71 bytes.
  • Loading branch information
ysbaddaden authored and RX14 committed Jan 20, 2018
1 parent ddbcf6c commit 6c2297b
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
1 change: 1 addition & 0 deletions spec/std/crypto/bcrypt_spec.cr
Expand Up @@ -17,6 +17,7 @@ describe "Crypto::Bcrypt" do
{5, latin1_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "BvtRGGx3p8o0C5C36uS442Qqnrwofrq"},
{5, utf8_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},
{5, bit8_unicode_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},
{5, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789012345678", "VU6N0LbtX7trKLCg4Uf8qe", "5WYPzqIUUIrkveFjCbMg/hXc592OQLK"},
]

it "computes digest vectors" do
Expand Down
6 changes: 5 additions & 1 deletion src/crypto/bcrypt.cr
Expand Up @@ -5,6 +5,10 @@ require "./subtle"
# Mazières, as [presented at USENIX in
# 1999](https://www.usenix.org/legacy/events/usenix99/provos/provos_html/index.html).
#
# The algorithm has a maximum password length limit of 71 characters (see
# [this comment](https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length#answer-39851)
# on stackoverflow).
#
# Refer to `Crypto::Bcrypt::Password` for a higher level interface.
#
# About the Cost
Expand All @@ -31,7 +35,7 @@ class Crypto::Bcrypt

DEFAULT_COST = 11
COST_RANGE = 4..31
PASSWORD_RANGE = 1..51
PASSWORD_RANGE = 1..72
SALT_SIZE = 16

private BLOWFISH_ROUNDS = 16
Expand Down

0 comments on commit 6c2297b

Please sign in to comment.