Fix bcrypt hard limit on passwords to 71 bytes (#5356)

ysbaddaden · RX14 · commit 6c2297bb359a · 2018-01-20T13:39:19.000Z
Despite the original bcrypt paper claiming passwords must be a
maximum of 56 bytes, the implementations are compatible to up to 72
bytes.

Since increasing the limit doesn't break compatibility, but other
implementations allow as many as 72 bytes, let's increase the
arbitrary limitation of 51 characters (which was wrong anyway) to 72
bytes, minus the leading null byte, that is a password of 71 bytes.
diff --git a/spec/std/crypto/bcrypt_spec.cr b/spec/std/crypto/bcrypt_spec.cr
@@ -17,6 +17,7 @@ describe "Crypto::Bcrypt" do
     {5, latin1_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "BvtRGGx3p8o0C5C36uS442Qqnrwofrq"},
     {5, utf8_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},
     {5, bit8_unicode_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},
+    {5, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789012345678", "VU6N0LbtX7trKLCg4Uf8qe", "5WYPzqIUUIrkveFjCbMg/hXc592OQLK"},
   ]
 
   it "computes digest vectors" do
diff --git a/src/crypto/bcrypt.cr b/src/crypto/bcrypt.cr
@@ -5,6 +5,10 @@ require "./subtle"
 # Mazières, as [presented at USENIX in
 # 1999](https://www.usenix.org/legacy/events/usenix99/provos/provos_html/index.html).
 #
+# The algorithm has a maximum password length limit of 71 characters (see
+# [this comment](https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length#answer-39851)
+# on stackoverflow).
+#
 # Refer to `Crypto::Bcrypt::Password` for a higher level interface.
 #
 # About the Cost
@@ -31,7 +35,7 @@ class Crypto::Bcrypt
 
   DEFAULT_COST   = 11
   COST_RANGE     = 4..31
-  PASSWORD_RANGE = 1..51
+  PASSWORD_RANGE = 1..72
   SALT_SIZE      = 16
 
   private BLOWFISH_ROUNDS = 16

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ describe "Crypto::Bcrypt" do`
`17`	`17`	`{5, latin1_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "BvtRGGx3p8o0C5C36uS442Qqnrwofrq"},`
`18`	`18`	`{5, utf8_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},`
`19`	`19`	`{5, bit8_unicode_pound_sign, "CCCCCCCCCCCCCCCCCCCCC.", "CAzSxlf0FLW7g1A5q7W/ZCj1xsN6A.e"},`
	`20`	`+ {5, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789012345678", "VU6N0LbtX7trKLCg4Uf8qe", "5WYPzqIUUIrkveFjCbMg/hXc592OQLK"},`
`20`	`21`	`]`
`21`	`22`
`22`	`23`	`it "computes digest vectors" do`