Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bcrypt: reject passwords longer than 72 bytes
By design, bcrypt only uses the first 72 bytes of a password when generating a hash. Most implementations, including the reference one, simply silently ignore any trailing input when provided passwords longer than 72 bytes. This can cause confusion for users who expect the entire password to be used to generate the hash. In GenerateFromPassword, reject passwords longer than 72 bytes. CompareHashAndPassword will still accept these passwords, since we cannot break hashes that have already been stored. Fixes golang/go#36546 Change-Id: I039addd2a2961a7fa9d1e4a3e892a9e3c8bf4c9a Reviewed-on: https://go-review.googlesource.com/c/crypto/+/450415 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Jason McNeil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]>
- Loading branch information