Password 1: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1 Password 2: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa2 These two users can login to each other's accounts because brcypt caps hashing to the first 72 bytes.
@devhammed What if you did: password -> md5 -> bcrypt ? Would that make sense?
@thepanta82 Ye
@devhammed Thatβs why you need to implement this check
@eudanilolira ππππ
@devhammed Surely the entropy with 72 characters is high enough that a risk of two people having the same first 72 characters in a password is insanely close to zero. Or am I missing something?
@diaper The issue is not that but users thinking having a password that is more than 72 bytes makes their account more secure.
@devhammed Iirc you can run sha256 first, then bcrypt, to workaround this limitation Imo much better than showing a limit on the userβs side
@MaxTagher This works too
@devhammed why would anyone ever make passwords that long anyway
@devmafex I remember doing 64 in my password manager so someone might!
@devhammed You need at least one special character in your password, try again.
@hetmehtaa You are missing the point
@devhammed So the solution would be ???
@projecthanif Limit the max characters a user can use as password to say 72 which should be enough for most UTF-8 characters.
@devhammed Simply validate the input such that users canβt exceed 72 bytes πββοΈ
@basit_2610 Of course.
@devhammed But it is only a vulnerability if your system allows passwords longer than 72 bytes without pre-hashing or trimming.
@KubomuEdi Exactly π―
@devhammed So, Argon2id might help here. Does it?
@malinjr07 Yes
@devhammed Does this mean my passwords provide less security than I designed them for? Or that the platform is broken?
@Cekbe8 It means the passwords provide less security than designed. Users might think passwords more than 72 bytes are secure but apparently not.
@devhammed Salting will still make the passwords unique
@o_ifechukwu Won't remove the limitation though.
@devhammed There's an article by @valorin exactly on this, but it seems like the real impact isn't really worth worrying about. https://securinglaravel.com/se...
@julian_center @valorin But I think it is important to inform users using 72+ characters hence the max validation.
@7lp____ Encryption is not the same as Hashing