search

P-H-C / phc-winner-argon2

The password hash Argon2, winner of PHC
Other
4.78k stars 406 forks source link

Maximum password length: "Provided password longer than supported in command line utility" #339

Open mb720 opened 2 years ago

mb720 commented 2 years ago

Hi and thanks for argon2!

Using version 20190702 of argon2, I hit the limit for maximum input length:

printf 'x%.0s' {1..128} | argon2 my_salt_is_here
Error: Provided password longer than supported in command line utility

Also in argon's source code I can see that the maximum password length is 127.

I was wondering:

  1. Whether there are ways around that length limit, the error message suggests that the command line utility doesn't support longer inputs. Maybe argon2 per se doesn't have that limitation.
  2. What's the reason for limiting input length to 127 bytes.

Thanks!

LoganDark commented 2 years ago

It's because the command-line utility doesn't expand the input buffer past that length:

https://github.com/P-H-C/phc-winner-argon2/blob/16d3df698db2486dde480b09a732bf9bf48599f9/src/run.c#L184

  • Maybe argon2 per se doesn't have that limitation.

Correct, I think argon2 only has a limitation of 4GB (as that's the limit of a 32-bit unsigned integer).

2. What's the reason for limiting input length to 127 bytes.

I assume because it's stored on the stack. In my experience there's a convention to be nice to the stack and stay below ~1KB of usage. I'm sure if the buffer was allocated on the heap it would be able to be much larger. Perhaps you could open a PR to change it.