/ Security Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Be Aware That Bcrypt Has a Maximum Password Length

DZone's Guide to

Be Aware That Bcrypt Has a Maximum Password Length

Longer passwords are more secure, right? So can hashing algorithms can support unlimited password lengths? In the case of bcrypt, the answer might surprise you.

by
·
Mar. 08, 17 · Security Zone ·
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Bcrypt is a popular password hashing function these days. Other than standard hash functions (like SHA-515), bcrypt is designed to be slow and therefore very resistant to brute force attacks.

However, when using bcrypt you should be aware that it limits your maximum password length to 50-72 bytes. The exact length depends on the bcrypt implementation you are using (see this StackExchange answer).

Passwords that exceed the maximum length will be truncated.

The following piece of code shows the password truncation using Spring Securities BCryptPasswordEncoder:

BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

// 72 characters
String password1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";

// 73 characters
String password2 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab";

String encodedPassword1 = passwordEncoder.encode(password1);
boolean matches = passwordEncoder.matches(password2, encodedPassword1);

System.out.println("encodedPassword1: " + encodedPassword1);
System.out.println("matches: " + matches);


When running this example, the output might look like this:

encodedPassword1: $2a$10$A5OpVKgjEZzmy6UNsqzkjuG2xGET1wp3b/9ET5dz/tHQ3eRvyXSSO
matches: true


According to BCryptPasswordEncoder both passwords match (= are identical) even if they have a different length.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Like This Article? Read More From DZone

Node.js and Password Storage With Bcrypt
Securely Storing Password Data in Couchbase With Golang and BCrypt
Hashing Passwords in Java With BCrypt

Free DZone Refcard

REST API Security
DOWNLOAD
Topics:
bcrypt ,security ,password security

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

Security Partner Resources

What is the Deserialization vulnerability and what are the challenges in providing a solution
Easy on-ramp to open source security with Flexera
Find out how to Secure your applications with Point and Click protection.
Top 5 OWASP Resources No Developer Should Be Without
Get the facts about open source security practices with this Flexera Open Source Risk Report!
The Go Language Guide: Web Application Secure Coding Practices
The AppSec How To: Application Security in Continuous Integration
Open Source Security in 2018 - Trends to Act On
Learn how to Patch faster than attackers can find you

Security Partner Resources

What is the Deserialization vulnerability and what are the challenges in providing a solution
Easy on-ramp to open source security with Flexera
Find out how to Secure your applications with Point and Click protection.
Top 5 OWASP Resources No Developer Should Be Without

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone