Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Document password truncation with BCryptPasswordHasher #962

Merged
merged 1 commit into from

1 participant

@dstufft
Collaborator

No description provided.

@dstufft dstufft merged commit 41af26d into django:stable/1.4.x
@dstufft dstufft deleted the dstufft:document-bcrypt-truncation-1.4.x branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 26, 2013
  1. @dstufft
This page is out of date. Refresh to see the latest.
Showing with 11 additions and 0 deletions.
  1. +11 −0 docs/topics/auth.txt
View
11 docs/topics/auth.txt
@@ -462,6 +462,17 @@ To use Bcrypt as your default storage algorithm, do the following:
That's it -- now your Django install will use Bcrypt as the default storage
algorithm.
+.. admonition:: Password truncation with BCryptPasswordHasher
+
+ The designers of bcrypt truncate all passwords at 72 characters which means
+ that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
+ ``BCryptPasswordHasher`` does not have any special handling and
+ thus is also subject to this hidden password length limit. The practical
+ ramification of this truncation is pretty marginal as the average user does
+ not have a password greater than 72 characters in length and even being
+ truncated at 72 the compute powered required to brute force bcrypt in any
+ useful amount of time is still astronomical.
+
.. admonition:: Other bcrypt implementations
There are several other implementations that allow bcrypt to be
Something went wrong with that request. Please try again.