Enforce bcrypt password length limit regardless of tenant configuration when using Bcrypt

[robotdan]

What happened?

For the cases where you may have some users on bcrypt even though it isn't your default configuration we should validate these passwords separate from the primary configuration to enforce the max bcrypt length if it is less than the global config.

For example, if you set the default to 256 this is fine for most algorithms, but for Bcrypt we have to limit the password length to 50 bytes to be safe. In practice we could validate the byte length and not the character length, but this may be more difficult to communicate to the end user when they password is too long.

This is all possible today, but requires you to set this length limit for everyone even if some users are using a different algorithm.

Related

• https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
• https://dzone.com/articles/be-aware-that-bcrypt-has-a-maximum-password-length
• https://github.com/FusionAuth/fusionauth-issues/issues/2688

Version

1.48.0

Affects Versions

All

Documentation

• [ ] Document this limit on the User API when using Bcrypt

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/402

[andrewpai]

Shipping in 1.50.0.