Passwords Limited to 72 Bytes

[starsoccer]

Describe the bug

It seems currently passwords are limited to 72 bytes for no clear reason. Instead passwords of any length should be allowed or atleast 128+

Steps to reproduce

1. Create a new Memos Instance
2. When prompted to enter a password enter a 100 character password
3. Error appears saying passwords are limited to 72 bytes

The version of Memos you're using.

stable

Screenshots or additional context

No response

[michaeldakin]

I believe this is a limitation with bcrypt's 'GenerateFromPassword' function which has a max limit of 72 bits.

From the docs it states: ''' GenerateFromPassword does not accept passwords longer than 72 bytes, which is the longest password bcrypt will operate on.'''

May be worth reviewing something like argon2id to allow longer passwords?

Other reading:

• https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
• https://github.com/golang/go/issues/36546

[wsw70]

Bcrypt is outdated

OWASP Password Storage Cheat Sheet recommends

• Use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
• If Argon2id is not available, use scrypt with a minimum CPU/memory cost parameter of (2^17), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
• For legacy systems using bcrypt, use a work factor of 10 or more and with a password limit of 72 bytes.
• If FIPS-140 compliance is required, use PBKDF2 with a work factor of 600,000 or more and set with an internal hash function of HMAC-SHA-256.
• Consider using a pepper to provide additional defense in depth (though alone, it provides no additional secure characteristics).

Argon2id is a no-brainer today (well, until the next best solutions arrive :)) and has a native implementation in Go

---

Note: I would not say that this issue is a "bug", but rather an improvement (this is to address the bug label

[starsoccer]

Well if changing to not use bcrypt is not an option, another option is to just hash the password before passing to bcrypt and then using that hash as the actual input. This seems to be common too.