Document password truncation with BCryptPasswordHasher

This commit is contained in:
Donald Stufft 2013-03-26 12:51:05 -04:00
parent 207117ae73
commit 33c4abb71a
1 changed files with 11 additions and 0 deletions

View File

@ -100,6 +100,17 @@ To use Bcrypt as your default storage algorithm, do the following:
That's it -- now your Django install will use Bcrypt as the default storage
algorithm.
.. admonition:: Password truncation with BCryptPasswordHasher
The designers of bcrypt truncate all passwords at 72 characters which means
that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
``BCryptPasswordHasher`` does not have any special handling and
thus is also subject to this hidden password length limit. The practical
ramification of this truncation is pretty marginal as the average user does
not have a password greater than 72 characters in length and even being
truncated at 72 the compute powered required to brute force bcrypt in any
useful amount of time is still astronomical.
.. admonition:: Other bcrypt implementations
There are several other implementations that allow bcrypt to be