id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
20138	BCrypt effectively limits password length.	Donald Stufft	nobody	"Bcrypt effectively truncates the password if it goes over a certain threshold. With the default configuration of Django that seems to be 72 characters. I propose adding a new hash backend that first hashes the password using SHA512. This will not negatively affect the strength of the password hash because bcrypt(sha512(plaintext)) is not insecure as long as sha512 isn't broken. More information: http://security.stackexchange.com/questions/6623/pre-hash-password-before-applying-bcrypt-to-avoid-restricting-password-length .

{{{

>>> import random, string, hashlib
>>> from django.conf import settings
>>> settings.configure()
>>> from django.contrib.auth.hashers import BCryptPasswordHasher
>>> password = """".join(random.choice(string.ascii_uppercase + string.digits) for x in range(100))
>>> bcrypt = BCryptPasswordHasher()
>>> bcrypt.verify(password, bcrypt.encode(password, bcrypt.salt()))
True
>>> bcrypt.verify(password[:72], bcrypt.encode(password, bcrypt.salt()))
True
>>> bcrypt.verify(password[:71], bcrypt.encode(password, bcrypt.salt()))
False
>>> bcrypt.verify(hashlib.sha512(password).digest(), bcrypt.encode(hashlib.sha512(password).digest(), bcrypt.salt()))
True
>>> bcrypt.verify(hashlib.sha512(password[:72]).digest(), bcrypt.encode(hashlib.sha512(password).digest(), bcrypt.salt()))
False
>>> bcrypt.verify(hashlib.sha512(password[:71]).digest(), bcrypt.encode(hashlib.sha512(password).digest(), bcrypt.salt()))
False
}}}
"	Uncategorized	closed	contrib.auth	dev	Normal	fixed			Unreviewed	0	0	0	0	0	0