[BUG] 100 character passwords give generic error and do not work

[starsoccer]

First Check

• [X] This is not a feature request
• [X] I added a very descriptive title to this issue.
• [X] I used the GitHub search to find a similar issue and didn't find it.
• [X] I searched the documentation, with the integrated search.
• [X] I already read the docs and didn't find an answer.

Homebox Version

0.8.2

What is the issue you are experiencing?

Attempting to use a password 100 characters long gives a generic error and does not work

How can the maintainer reproduce the issue?

1. Register new user
2. When prompted for password enter a password 100 characters long
3. Error appears saying, "Problem registering user"

Deployment

Unraid

Deployment Details

No response

[hay-kot]

Related to

• 36

[ColtonProvias]

The password algorithm used here is bcrypt, which has a maximum length of 72 bytes for the password. Other algorithms such as argon2id, scrypt, and pbkdf2 don't have this limitation. Switching to one of those or setting a reasonable max length that doesn't reveal the algorithm (such as 64 bytes) may suffice.

[starsoccer]

Hmm interesting news to me. I was just surprised to see the limit as most sites allow me to use 100 characters without any issue. I am not sure if they are using alternative algorithms or just doing something custom with bcrypt to support longer ones

[JJGadgets]

I accidentally opened a duplicate issue for this, but I'll paste my solution suggestion here anyway:

Ideally, Homebox should show a proper error like "Password is too long", and the actual validation conditions on the register page itself, so users can easily create a password that meets requirements without having to search elsewhere for the validation info.