diff options
| author | Donald Stufft <donald@stufft.io> | 2013-03-26 12:51:05 -0400 |
|---|---|---|
| committer | Donald Stufft <donald@stufft.io> | 2013-03-26 13:29:53 -0400 |
| commit | 33c4abb71a3534deab13564eb3168ed0cbfe1786 (patch) | |
| tree | 31c76cacb46a2acbf314a7ac685211d9a21a1c07 | |
| parent | 207117ae731096d8148c17c6ca16f06ebf18537c (diff) | |
Document password truncation with BCryptPasswordHasher
| -rw-r--r-- | docs/topics/auth/passwords.txt | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt index 714b272219..164c829723 100644 --- a/docs/topics/auth/passwords.txt +++ b/docs/topics/auth/passwords.txt @@ -100,6 +100,17 @@ To use Bcrypt as your default storage algorithm, do the following: That's it -- now your Django install will use Bcrypt as the default storage algorithm. +.. admonition:: Password truncation with BCryptPasswordHasher + + The designers of bcrypt truncate all passwords at 72 characters which means + that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``. + ``BCryptPasswordHasher`` does not have any special handling and + thus is also subject to this hidden password length limit. The practical + ramification of this truncation is pretty marginal as the average user does + not have a password greater than 72 characters in length and even being + truncated at 72 the compute powered required to brute force bcrypt in any + useful amount of time is still astronomical. + .. admonition:: Other bcrypt implementations There are several other implementations that allow bcrypt to be |
