Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Document password truncation with BCryptPasswordHasher

  • Loading branch information...
commit 843034a8d653af5b711a4ff79292e46e26717038 1 parent 577a27a
Donald Stufft authored March 26, 2013

Showing 1 changed file with 11 additions and 0 deletions. Show diff stats Hide diff stats

  1. 11  docs/topics/auth.txt
11  docs/topics/auth.txt
@@ -462,6 +462,17 @@ To use Bcrypt as your default storage algorithm, do the following:
462 462
 That's it -- now your Django install will use Bcrypt as the default storage
463 463
 algorithm.
464 464
 
  465
+.. admonition:: Password truncation with BCryptPasswordHasher
  466
+
  467
+    The designers of bcrypt truncate all passwords at 72 characters which means
  468
+    that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
  469
+    ``BCryptPasswordHasher`` does not have any special handling and
  470
+    thus is also subject to this hidden password length limit. The practical
  471
+    ramification of this truncation is pretty marginal as the average user does
  472
+    not have a password greater than 72 characters in length and even being
  473
+    truncated at 72 the compute powered required to brute force bcrypt in any
  474
+    useful amount of time is still astronomical.
  475
+
465 476
 .. admonition:: Other bcrypt implementations
466 477
 
467 478
    There are several other implementations that allow bcrypt to be

0 notes on commit 843034a

Please sign in to comment.
Something went wrong with that request. Please try again.