Be Aware That Bcrypt Has a Maximum Password Length
Longer passwords are more secure, right? So can hashing algorithms can support unlimited password lengths? In the case of bcrypt, the answer might surprise you.
Join the DZone community and get the full member experience.Join For Free
Bcrypt is a popular password hashing function these days. Other than standard hash functions (like SHA-515), bcrypt is designed to be slow and therefore very resistant to brute force attacks.
However, when using bcrypt you should be aware that it limits your maximum password length to 50-72 bytes. The exact length depends on the bcrypt implementation you are using (see this StackExchange answer).
Passwords that exceed the maximum length will be truncated.
The following piece of code shows the password truncation using Spring Securities BCryptPasswordEncoder:
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); // 72 characters String password1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; // 73 characters String password2 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab"; String encodedPassword1 = passwordEncoder.encode(password1); boolean matches = passwordEncoder.matches(password2, encodedPassword1); System.out.println("encodedPassword1: " + encodedPassword1); System.out.println("matches: " + matches);
When running this example, the output might look like this:
encodedPassword1: $2a$10$A5OpVKgjEZzmy6UNsqzkjuG2xGET1wp3b/9ET5dz/tHQ3eRvyXSSO matches: true
According to BCryptPasswordEncoder both passwords match (= are identical) even if they have a different length.
Published at DZone with permission of Michael Scharhag, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.