New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passwords shouldn't be limited to 72 characters #13152
Comments
Seems like a very marginal benefit to suit people who generate really long passwords over fiddling with Devise internals and upgrading millions of records. |
You're wrong and can't seem to understand there's a whole world outside the US (or doesn't even know how bcrypt works). TL;DR: The 72 characters limit is only true to ASCII characters. Any non-ascii character will take up more than 1 byte with UTF-8, lowering the character-length limit |
Please don't be rude. |
@danieljakots sorry! English is not my first language and sometimes my words come out a bit harsher than it was supposed to be. I don't mean to be rude, sorry about that, I was just trying to be clear on why this issue is indeed important and cannot be ignored |
My suggestion is to approach the Devise team about this issue and see what they say. |
Then you should do that, @Gargron, since it affects your users' security. |
@yyyyyyyan I really don't think that's fair. You're the one who understands the issue, you're in the best position to remake it on their issue tracker. |
@ryliejamesthomas I understand where you're coming from, but I really don't think that's fair to me. I work at least 8-10 hours a day, including weekends, I have my own open source projects to maintain, my own blog, my own life. Yes, I'd be glad to send an issue to a tool that's not used in any of the projects I maintain (and for all I know, not even in the projects I regularly contribute to), but I'm currently too busy for that, unfortunately. So it's a bit strange to me when you say I'm the one being unfair. Unfair to who? I opened this issue in February. @Gargron made a comment in March and just left it there until yesterday. I'm being unfair because I expect the owner of a platform to care about its users' security? Anyway, this is already taking too much of my time. If I get a free time someday maybe I'll open an issue to the Devise team, who knows. Good luck with Mastodon. I'm too tired for this. |
Creating this issue is faster than discussing 20 times here now who sho9uld create one. So I just did it: heartcombo/devise#5307 (I hope I choose the correct project.) |
Thanks @rugk |
I know it's 2 years late, but for anyone reading this:
So please ensure to have at least some max limit. It can be 256 or 512 characters or something. 🙂 The security report was not related to mastodon |
Expected behaviour
Passwords shouldn't be limited to 72 characters. Yes, bcrypt has this limitation, but any serious platform solves this by using another hash function (usually SHA256) before passing it to bcrypt. It doesn't make it any less secure.
Actual behaviour
An error message appears if you try to set a password longer than 72 characters.
Steps to reproduce the problem
Try to set a password longer than 72 characters.
Specifications
The text was updated successfully, but these errors were encountered: