Merge pull request #962 from dstufft/document-bcrypt-truncation-1.4.x

Document password truncation with BCryptPasswordHasher
author: Donald Stufft <donald@stufft.io> 2013-03-26 10:32:19 -0700
committer: Donald Stufft <donald@stufft.io> 2013-03-26 10:32:19 -0700
commit: 41af26dd5338c67eda5dbd18a8fd4811aff68e47 (patch)
tree: 4c74f2d17da3684304aa160c916f5d9bd9437239
parent: 577a27a9fc921b29c08b379116633e7b0e5a7f6b (diff)
parent: 843034a8d653af5b711a4ff79292e46e26717038 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/topics/auth.txt b/docs/topics/auth.txt
index efc6e78413..677429db47 100644
--- a/docs/topics/auth.txt
+++ b/docs/topics/auth.txt
@@ -462,6 +462,17 @@ To use Bcrypt as your default storage algorithm, do the following:
 That's it -- now your Django install will use Bcrypt as the default storage
 algorithm.
 
+.. admonition:: Password truncation with BCryptPasswordHasher
+
+    The designers of bcrypt truncate all passwords at 72 characters which means
+    that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
+    ``BCryptPasswordHasher`` does not have any special handling and
+    thus is also subject to this hidden password length limit. The practical
+    ramification of this truncation is pretty marginal as the average user does
+    not have a password greater than 72 characters in length and even being
+    truncated at 72 the compute powered required to brute force bcrypt in any
+    useful amount of time is still astronomical.
+
 .. admonition:: Other bcrypt implementations
 
    There are several other implementations that allow bcrypt to be
author	Donald Stufft <donald@stufft.io>	2013-03-26 10:32:19 -0700
committer	Donald Stufft <donald@stufft.io>	2013-03-26 10:32:19 -0700
commit	41af26dd5338c67eda5dbd18a8fd4811aff68e47 (patch)
tree	4c74f2d17da3684304aa160c916f5d9bd9437239
parent	577a27a9fc921b29c08b379116633e7b0e5a7f6b (diff)
parent	843034a8d653af5b711a4ff79292e46e26717038 (diff)