New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: limit maximum password length #3781
base: master
Are you sure you want to change the base?
feat: limit maximum password length #3781
Conversation
"default": 1024, | ||
"minimum": 20 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: discuss default values
Should it be limited to max 72 characters to account for bcrypt hasher limitations?
Lines 57 to 65 in 9710549
// Bcrypt truncates the password to the first 72 bytes, following the OpenBSD implementation, | |
// so if password is longer than 72 bytes, function returns an error | |
// See https://en.wikipedia.org/wiki/Bcrypt#User_input | |
if len(password) > 72 { | |
return schema.NewPasswordPolicyViolationError( | |
"#/password", | |
text.NewErrorValidationPasswordMaxLength(72, len(password)), | |
) | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: update Breaking changes section with new value
ec8570e
to
37810b3
Compare
963e663
to
78a6480
Compare
Hi @aeneasr 👋
I believe my changes are not related to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From NIST https://pages.nist.gov/800-63-3/sp800-63b.html#a2-length
Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes. Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.
I think the default should be at least 1024, probably even more. The bcrypt hasher already enforces the correct length, so I don't think there is any reason to account for that.
Setting the default to e.g. 2MB also makes it very unlikely that anyone uses a password of this lenght, and basically avoids the breaking change.
Sorry if this sounds dumb but what exactly is the use case for limiting password length? BCrypt will cut off passwords longer than 72 chars (so it does not matter what comes after the 72nd character). |
I totally agree, that we should allow long passwords by default 👍 |
It is a fix for issue discussed in #2449 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me now 👍
The default of 1024 is a breaking change, but I'd guess no-one is really affected by this in the end. It is currently not possible to say how long passwords are, so someone who would upgrade without breaking users would need to collect these data for some time before upgrading (without collecting the passwords obviously).
Another idea to completely avoid a breaking change would be to ignore the limit if it is not set, but as explained I think a default is fine.
Allow to specify max password length. See #2449
Related issue(s)
This change resolve issue mentioned in #2449
Go one step closer to ideal solution mentioned in #2396
Checklist
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
introduces a new feature.
Further Comments