fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Enforce bcrypt password length limit regardless of tenant configuration when using Bcrypt

Open robotdan opened this issue 11 months ago • 1 comments

What happened?

For the cases where you may have some users on bcrypt even though it isn't your default configuration we should validate these passwords separate from the primary configuration to enforce the max bcrypt length if it is less than the global config.

For example, if you set the default to 256 this is fine for most algorithms, but for Bcrypt we have to limit the password length to 50 bytes to be safe. In practice we could validate the byte length and not the character length, but this may be more difficult to communicate to the end user when they password is too long.

This is all possible today, but requires you to set this length limit for everyone even if some users are using a different algorithm.

Related

  • https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
  • https://dzone.com/articles/be-aware-that-bcrypt-has-a-maximum-password-length
  • https://github.com/FusionAuth/fusionauth-issues/issues/2688

Version

1.48.0

Affects Versions

All

robotdan avatar Mar 04 '24 15:03 robotdan

Internal:

  • https://github.com/FusionAuth/fusionauth-app/pull/402

robotdan avatar Mar 20 '24 05:03 robotdan

Shipping in 1.50.0.

andrewpai avatar Apr 23 '24 21:04 andrewpai