Skip to content

Commit

Permalink
Fix bcrypt hard limit on passwords to 71 bytes (#5356)
Browse files Browse the repository at this point in the history
Despite the original bcrypt paper claiming passwords must be a
maximum of 56 bytes, the implementations are compatible to up to 72
bytes.

Since increasing the limit doesn't break compatibility, but other
implementations allow as many as 72 bytes, let's increase the
arbitrary limitation of 51 characters (which was wrong anyway) to 72
bytes, minus the leading null byte, that is a password of 71 bytes.
ysbaddaden authored and RX14 committed Jan 20, 2018
1 parent ddbcf6c commit 6c2297b
Showing 2 changed files with 6 additions and 1 deletion.
1 change: 1 addition & 0 deletions spec/std/crypto/bcrypt_spec.cr
Original file line number Diff line number Diff line change
@@ -17,6 +17,7 @@ describe "Crypto::Bcrypt" do
{5, latin1_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "BvtRGGx3p8o0C5C36uS442Qqnrwofrq"},
{5, utf8_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},
{5, bit8_unicode_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},
{5, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789012345678", "VU6N0LbtX7trKLCg4Uf8qe", "5WYPzqIUUIrkveFjCbMg/hXc592OQLK"},
]

it "computes digest vectors" do
6 changes: 5 additions & 1 deletion src/crypto/bcrypt.cr
Original file line number Diff line number Diff line change
@@ -5,6 +5,10 @@ require "./subtle"
# Mazières, as [presented at USENIX in
# 1999](https://www.usenix.org/legacy/events/usenix99/provos/provos_html/index.html).
#
# The algorithm has a maximum password length limit of 71 characters (see
# [this comment](https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length#answer-39851)
# on stackoverflow).
#
# Refer to `Crypto::Bcrypt::Password` for a higher level interface.
#
# About the Cost
@@ -31,7 +35,7 @@ class Crypto::Bcrypt

DEFAULT_COST = 11
COST_RANGE = 4..31
PASSWORD_RANGE = 1..51
PASSWORD_RANGE = 1..72
SALT_SIZE = 16

private BLOWFISH_ROUNDS = 16

0 comments on commit 6c2297b

Please sign in to comment.