thinkberg

Is that true and what is the reason? #BSD

https://immich.app/cursed-knowledge/

2024-06-25 Long passwords are cursed
The bcrypt implementation only uses the first 72 bytes of a string. Any characters after that are ignored.

Cursed Knowledge | Immich

Cursed knowledge we have learned as a result of building Immich that we wish we never knew.

Immich — Self-hosted photo and video management solution. Easily back up, organize, and manage your photos on your own server. Immich helps you browse, search and organize your photos and videos with ease, without sacrificing your privacy.
May 23 at 7:30amWeb
Show threadUckermark MacGyver May 23
@thinkberg this page is gold. Pitty that the #bcrypt one doesn't have a reference
Show threadthinkbergMay 23
@maxheadroom I am sure we will get that info. The #BSD community is pretty nice.
Show threadBenjaminMay 23
@thinkberg According to Wikipedia bcrypt needs 18 times 32 bit (4 byte) equals 72 byte input for initialization, so that may be the reason.
I wouldn't lose any sleep over this, but it's something to keep in mind.
Show threadthinkbergMay 23
@blindcoder I don't, just curious.
Show threadPaulMay 23

@thinkberg Sort of, but it's not entirely correct.

Bytes are not necessarily equal to characters.

It's implementation-dependent as to how this limitation is managed, and some have a lower limit (there are lots of implementations and several revisions).

72 bytes may have been considered sufficient when it was published in 1999.

Show threadthinkbergMay 23
@pwaring Considering how hard it is to convince users to use a password manager with long random passwords, it is probably still "sufficient".
Show threadtowoMay 23
@thinkberg
We discovered that the old old crypt library only used the first 8 bytes of a password... Since some people were separating the last bit of an underscore, and some weren't. And we all looked a bit confused when we were telling someone new the shared password. And both worked.
Show threaddexternemrodMay 23

@towo

@thinkberg

"Shard password"? A content warning would have been nice 😉

Show threadtowoMay 23
@dexternemrod
Yeah, basic auth in front of an internal wiki of a small club, there's barely a threat surface to speak of apart from accidental PII leaks
@thinkberg
Show threaddexternemrodMay 23

@towo

@thinkberg

I assumed such context ✌️