password
Implementation of the password hasher based on BCrypt.
Implementation of the password hasher based on BCrypt.
Implementation of the password hasher based on BCrypt.
The designers of bcrypt truncate all passwords at 72 characters which means that bcrypt(password_with_100_chars) ==
bcrypt(password_with_100_chars[:72]). The original BCryptPasswordHasher does not have any special handling and
thus is also subject to this hidden password length limit. BCryptSha256PasswordHasher fixes this by first hashing
the password using sha256. This prevents the password truncation and so should be preferred over the
BCryptPasswordHasher. The practical ramification of this truncation is pretty marginal as the average user does
not have a password greater than 72 characters in length and even being truncated at 72 the compute powered required
to brute force bcrypt in any useful amount of time is still astronomical. Nonetheless, we recommend you use
BCryptSha256PasswordHasher anyway on the principle of "better safe than sorry".
https://crypto.stackexchange.com/questions/24993/is-there-a-way-to-use-bcrypt-with-passwords-longer-than-72-bytes-securely
https://docs.djangoproject.com/en/1.10/topics/auth/passwords/#using-bcrypt-with-django
The companion object.
The companion object.
Implementation of the password hasher based on BCrypt.
gensalt