Aaron Toponce ⚛️Jan 10

I have advocated for bcrypt many time specifically for this. If you can't deploy bcrypt, enforce an upper limit in your authentication form. 100 characters is stupidly more than enough, even for long passphrases.

https://instatunnel.my/blog/the-1mb-password-crashing-backends-via-hashing-exhaustion

#passwords

The 1MB Password: How Hashing Exhaustion Crashes

Discover how oversized passwords exploit CPU-intensive hashing algorithms like bcrypt and Argon2 to cause denial of service. Learn why missing input limits

InstaTunnel
Show threadSc00bz

@atoponce That's an AI vibe coded company and that article has massive errors besides hallucinating the whole issue. Since none of those algorithms (properly implemented) can DoS. Here's a fun vulnerability they created:
> 1. User sends a 1MB password.
> 2. Server computes `temp_hash = SHA-256(password)`.
> 3. The output of SHA-256 is always a fixed 32-byte string.
> 4. Server computes `final_hash = Bcrypt(temp_hash)`.
In PHP, this is broken because of C strings in the library that does bcrypt.

P.S. The contact page has this:
> InstaTunnel Inc.
> 123 Tech Street
> Suite 100
> San Francisco, CA 94105
> United States
> Phone: +1 (555) 123-4567

Feb 25 at 4:15amWeb