You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
test"verify_pass returns false when only first 72 bytes match"dopass="This string is seventy-two characters long. That's also 72 bytes in size"hashed_pass=Bcrypt.hash_pwd_salt(pass)refuteBcrypt.verify_pass(pass<>".",hashed_pass)end
If you agree that it's an issue, I propose changing both hash_pwd_salt/2 and verify_pass/2 to ensure length <= 72 bytes.
I can prepare a PR as well, but wanted to check first.
The text was updated successfully, but these errors were encountered:
There was a related incident with Okta recently and this blog post does a good job of explaining it and why it's a good idea to disallow hashing passwords over 72 bytes:
https://n0rdy.foo/posts/20250121/okta-bcrypt-lessons-for-better-apis/
Here's a failing test that shows the issue:
If you agree that it's an issue, I propose changing both
hash_pwd_salt/2andverify_pass/2to ensure length <= 72 bytes.I can prepare a PR as well, but wanted to check first.
The text was updated successfully, but these errors were encountered: