CODEWITHSUNDEEP
securityspring-securitybcrypt
user2652379
user2652379

Reputation: 972

Is BCryptPasswordEncoder's password length limit more than 72 characters?

I saw a post that bcrypt has 72 characters limit. So I tested Spring security's BCryptPasswordEncoder to see what will happen. I tried over 1000 length and it worked normally. Not even a warning log was out.

I tried JavaDoc and online docs but couldn't find about input length limitation.

Is BCryptPasswordEncoder's password length limit more than 72 characters? If so, can I use this to my web applications?

Upvotes: 3

Views: 1153

Answers (2)

Fi0x
Fi0x

Reputation: 185

I just did some tests with spring-security-crypto-6.2.4 and got some interesting results.

BCryptPasswordEncoder

I tested the BCryptPasswordEncoder from spring and found some problems that might occur if you want to use the hashed passwords. I therefore recommend, to use a custom implementation instead of the BCryptPasswordEncoder, if you work with the hashed passwords later on. But if you're only using the BCryptPasswordEncoder for the spring login, you should be fine, since spring somehow seems to work fine with the encoder.

Code:

public static void main(String[] args) throws Exception
{
    final String pw3 = "123";
    final String pw3v2 = "123";

    PasswordEncoder encoder = new BCryptPasswordEncoder(-1, new SecureRandom("sdlfkj".getBytes(StandardCharsets.UTF_8)));

    System.out.println(encoder.encode(pw3));
    System.out.println(encoder.encode(pw3));
    System.out.println(encoder.encode(pw3v2));
}

Output:

$2a$10$L4sdioBt/ObAxXqrUCVzZueG3c1sLGqrfKnIJ4QjnGi90NZRPEfna
$2a$10$hQzsoCTtAmXBi.IFH6LMc.rTWuaZJvyt1tLBJozKS83Zqq.T29hRW
$2a$10$ZgvuLGM2xUE1EUGgDOjTXOsjUBnaBimFZR6VKaXKAVVe4r8c4n17q

BCrypt

I also tested the hash-function of BCrypt itself. Since I could influence the salt parameter there, the consistency with the same passwords worked here. Additionally, I had the same results as others before with the 72 char-limit.

Code:

public static void main(String[] args) throws Exception
{
    final String pw3 = "123";
    final String pw3v2 = "123";
    final String pw71 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    final String pw72 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    final String pw73 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    final String pw144 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";

    final String salt = BCrypt.gensalt();

    System.out.println(BCrypt.hashpw(pw3, salt));
    System.out.println(BCrypt.hashpw(pw3, salt));
    System.out.println(BCrypt.hashpw(pw3v2, salt));
    System.out.println(BCrypt.hashpw(pw71, salt));
    System.out.println(BCrypt.hashpw(pw72, salt));
    System.out.println(BCrypt.hashpw(pw73, salt));
    System.out.println(BCrypt.hashpw(pw144, salt));
}

Output:

$2a$10$nhk6YpHAf97z2s/UZcoTyO5mHxmqMDoZ5hrDeNp3yr/GmEzPSrcgG
$2a$10$nhk6YpHAf97z2s/UZcoTyO5mHxmqMDoZ5hrDeNp3yr/GmEzPSrcgG
$2a$10$nhk6YpHAf97z2s/UZcoTyO5mHxmqMDoZ5hrDeNp3yr/GmEzPSrcgG
$2a$10$nhk6YpHAf97z2s/UZcoTyOhw3ytYxilZL7CMoxuXfKd/kQnGhL9i.
$2a$10$nhk6YpHAf97z2s/UZcoTyOxCxHBcfsihDMVN/PvGXUU7E0InA9sPC
$2a$10$nhk6YpHAf97z2s/UZcoTyOxCxHBcfsihDMVN/PvGXUU7E0InA9sPC
$2a$10$nhk6YpHAf97z2s/UZcoTyOxCxHBcfsihDMVN/PvGXUU7E0InA9sPC

I also looked into the code of the BCrypt class to see, if the limit could be changed, but unfortunately it looks like the limit is hard-coded.

Upvotes: 0

user2652379
user2652379

Reputation: 972

It seems BCryptPasswordEncoder crops password without any warning.

I tried with BCrypt instead of BCryptPasswordEncoder like this.

@Test
public void testBcrypt() throws Exception {
    final String pw1_a71 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    final String pw2 = pw1_a71 + "b";
    final String pw3 = pw2 + "b";
    final String pw4 = "b" + pw2;

    final String gensalt = BCrypt.gensalt();
    for (final String pw : Arrays.asList(pw1_a71, pw2, pw3, pw4)) {
        System.out.println(BCrypt.hashpw(pw, gensalt));
    }
}

Output:

$2a$10$9S6TbAreOnBH1ZCdZ.G0WOBxiIEizo92CNeFFBlcg1bxyGa9mMgEu
$2a$10$9S6TbAreOnBH1ZCdZ.G0WO4Pm8wq3zRnVR6szbZynp8DHOq3XCwoW
$2a$10$9S6TbAreOnBH1ZCdZ.G0WO4Pm8wq3zRnVR6szbZynp8DHOq3XCwoW
$2a$10$9S6TbAreOnBH1ZCdZ.G0WOCC3kvOwtnzVpiEmOWvIA6WIKzxi7lhy

Upvotes: 3

Related Questions