Missing bcrypt limitation checks

jeremyevans / rodauth

Ruby's Most Advanced Authentication Framework

http://rodauth.jeremyevans.net

MIT License

1.7k stars 95 forks source link

Missing bcrypt limitation checks #4

Closed Freaky closed 8 years ago

Freaky commented 8 years ago

BCrypt has two unfortunate properties:

Truncates after 72 bytes
Truncates after NULL bytes (BCrypt::Password.create("\u0000supersecurepassword") == "" #=> true)

Rodauth doesn't seem to check for either.

jeremyevans commented 8 years ago

For your first point, bcrypt still works with longer passwords:

s = '0'*73; BCrypt::Password.create(s) == s # => true

It ignores bytes after the first 72, but I'm not sure we should raise an error for such passwords.

For your second point, I agree that it makes sense to add a check for null characters and treat such passwords as invalid.

Freaky commented 8 years ago

It doesn't really work, because it's not doing what it appears to be doing. A user entering a passphrase has a reasonable expectation that if it's accepted, that is their passphrase. Not an arbitrary prefix of it.

Granted, it is a fairly long prefix, so I'm not going to whine too much about it.

Thanks :)

jeremyevans commented 8 years ago

@Freaky You may want to consider bringing this up with the ruby-bcrypt developers and see what they think about raising an exception in such cases.