1

I was reading this question regarding bcrypt max password length.

Is there a preferred method or way to allow user passwords to be unlimited length? Or at least much higher?

Is there an alternative library? Or a full alternative method? Currently I'm using Node with this npm package.

Community
  • 1
Charlie Fish
  • 171
  • 1
  • 6

1 Answers1

1

The 72-character limit is caused by Blowfish cipher, which is used internally for Bcrypt. You can limit the length of the password in your application, truncate it, or (may not be the brightest idea) hash it and pass the output of the hash function to Bcrypt. Either way, it is not possible to beat the Bcrypt cipher's internal limit.

stmbgr1
  • 11
  • 1
  • No good alternatives or anything? – Charlie Fish Jul 28 '16 at 19:10
  • @CharlieFish He gave you an alternative that I would say is the correct answer, hash whatever input you want to throw into bcrypt. 72 characters * 8 bits per character = max 576 bits. So just use SHA256/512 and then put the result of your hash function into bcrypt. – sethmlarson Jul 28 '16 at 19:19
  • Ok then I guess I don't fully understand why it might not be the brightest idea to hash it then pass that output into bcrypt. – Charlie Fish Jul 28 '16 at 19:21
  • The output of SHA512 or SHA256 is shorter than what bcrypt could in theory take in, so if somebody tried to put in more than 512 actually random bits, the hash would lose some entropy. But in practice no password is going to have even 256 bits of entropy, so it's not going to be a problem. – ilkkachu Jul 28 '16 at 19:28
  • @ilkkachu But why isn't that the brightest idea then? – Charlie Fish Jul 28 '16 at 21:54
  • @CharlieFish - Just tried to point out, why this is not a good idea in this [answer](http://stackoverflow.com/a/39195488/575765). – martinstoeckli Aug 28 '16 at 21:00