summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDonald Stufft <donald@stufft.io>2013-03-26 10:32:08 -0700
committerDonald Stufft <donald@stufft.io>2013-03-26 10:32:08 -0700
commit456d6c15dbbfc81c355e790c15cda3c28205123e (patch)
tree31c76cacb46a2acbf314a7ac685211d9a21a1c07 /docs
parent207117ae731096d8148c17c6ca16f06ebf18537c (diff)
parent33c4abb71a3534deab13564eb3168ed0cbfe1786 (diff)
Merge pull request #961 from dstufft/document-bcrypt-truncation-1.5.x
Document password truncation with BCryptPasswordHasher
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/auth/passwords.txt11
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt
index 714b272219..164c829723 100644
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -100,6 +100,17 @@ To use Bcrypt as your default storage algorithm, do the following:
That's it -- now your Django install will use Bcrypt as the default storage
algorithm.
+.. admonition:: Password truncation with BCryptPasswordHasher
+
+ The designers of bcrypt truncate all passwords at 72 characters which means
+ that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
+ ``BCryptPasswordHasher`` does not have any special handling and
+ thus is also subject to this hidden password length limit. The practical
+ ramification of this truncation is pretty marginal as the average user does
+ not have a password greater than 72 characters in length and even being
+ truncated at 72 the compute powered required to brute force bcrypt in any
+ useful amount of time is still astronomical.
+
.. admonition:: Other bcrypt implementations
There are several other implementations that allow bcrypt to be