You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some hashing algorithms such as Bcrypt have a maximum length for the input, which is 72 characters for most implementations (there are some reports that other implementations have lower maximum lengths, but none have been identified at the time of writing). Where Bcrypt is used, a maximum length of 64 characters should be enforced on the input, as this provides a sufficiently high limit, while still allowing for string termination issues and not revealing that the application uses Bcrypt.
Additionally, due to how computationally expensive modern hashing functions are, if a user can supply very long passwords then there is a potential denial of service vulnerability, such as the one published in Django in 2013.
In order to protect against both of these issues, a maximum password length should be enforced. This should be 64 characters for Bcrypt (due to limitations in the algorithm and implementations), and between 64 and 128 characters for other algorithms.
The text was updated successfully, but these errors were encountered:
eliotsykes
changed the title
OWASP guidelines on max password length for bcrypt and other hashing algorithms
OWASP guidelines on max password length for bcrypt and other hashing algorithms (mitigates DoS)
Jul 24, 2020
eliotsykes
changed the title
OWASP guidelines on max password length for bcrypt and other hashing algorithms (mitigates DoS)
OWASP guidelines on max password length
Jul 26, 2020
Source: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#maximum-password-lengths
The text was updated successfully, but these errors were encountered: