From 33c4abb71a3534deab13564eb3168ed0cbfe1786 Mon Sep 17 00:00:00 2001
From: Donald Stufft <donald@stufft.io>
Date: Tue, 26 Mar 2013 12:51:05 -0400
Subject: [PATCH] Document password truncation with BCryptPasswordHasher

---
 docs/topics/auth/passwords.txt | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt
index 714b272219b..164c8297231 100644
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -100,6 +100,17 @@ To use Bcrypt as your default storage algorithm, do the following:
 That's it -- now your Django install will use Bcrypt as the default storage
 algorithm.
 
+.. admonition:: Password truncation with BCryptPasswordHasher
+
+    The designers of bcrypt truncate all passwords at 72 characters which means
+    that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
+    ``BCryptPasswordHasher`` does not have any special handling and
+    thus is also subject to this hidden password length limit. The practical
+    ramification of this truncation is pretty marginal as the average user does
+    not have a password greater than 72 characters in length and even being
+    truncated at 72 the compute powered required to brute force bcrypt in any
+    useful amount of time is still astronomical.
+
 .. admonition:: Other bcrypt implementations
 
    There are several other implementations that allow bcrypt to be