Tostino
commented
1 year ago This was instigated by investigating this issue: https://github.com/GoSimpleLLC/nbvcxz/issues/60
These changes (as shown in that thread) had major performance improvements with the worst case.
Max length configuration is set by default to 256 to allow most edge cases to still validate fully. It is intended to be set to the same value you (or your hash function) truncates the value to. If you are using bcrypt, most implementations will have a 72 character limit.
We also have algorithm fixes to avoid an edge case that could be used for DOS.