Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add footnote warning to hashing a hash #411

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add footnote warning to hashing a hash #411

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
34c7e0c
Add footnote warning to hashing a hash
FWDekker Sep 13, 2022
a4497b2
Remove ddos mention, use bcrypt_pbkdf
FWDekker Sep 14, 2022
ee8a991
Rewrite section on maximum password length
FWDekker Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 22 additions & 6 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,19 +217,32 @@ As of 3.0.0 the ``$2y$`` prefix is still supported in ``hashpw`` but deprecated.
Maximum Password Length
~~~~~~~~~~~~~~~~~~~~~~~

The bcrypt algorithm only handles passwords up to 72 characters, any characters
beyond that are ignored. To work around this, a common approach is to hash a
password with a cryptographic hash (such as ``sha256``) and then base64
encode it to prevent NULL byte problems before hashing the result with
``bcrypt``:
The bcrypt algorithm only handles passwords up to 72 characters; any characters
beyond that are ignored. The best solution to this problem is to stop using
bcrypt and use a modern algorithm such as argon2id or scrypt. Seriously.

If you must use bcrypt, you can work around bcrypt's character limit by first
hashing the password with a hexadecimal salted cryptographic hash. Note that
omitting the salt or using raw output is `recommended against`_ because it may
expose the system to `hash shucking`_ attacks. Therefore, make sure you give the
inner hash function a `pepper`_, and encode the output as base64 to prevent
`NULL`-byte problems:

.. code:: pycon

>>> import base64
>>> import bcrypt
>>> import hmac
>>> password = b"an incredibly long password" * 10
>>> pepper = bcrypt.gensalt() # Do not store the pepper in your database
>>> hashed = bcrypt.hashpw(
... base64.b64encode(hashlib.sha256(password).digest()),
... base64.b64encode(hmac.digest(pepper, password, "sha256")),
... bcrypt.gensalt()
... )
>>> matches = bcrypt.checkpw(
... base64.b64encode(hmac.digest(pepper, password, "sha256")),
... hashed
... )

Compatibility
-------------
Expand All @@ -252,3 +265,6 @@ identify a vulnerability, we ask you to contact us privately.
.. _`standard library`: https://docs.python.org/3/library/hashlib.html#hashlib.scrypt
.. _`argon2_cffi`: https://argon2-cffi.readthedocs.io
.. _`cryptography`: https://cryptography.io/en/latest/hazmat/primitives/key-derivation-functions/#cryptography.hazmat.primitives.kdf.scrypt.Scrypt
.. _`recommended against`: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords
.. _`hash shucking`: https://security.stackexchange.com/a/234795/
.. _`pepper`: https://en.wikipedia.org/wiki/Pepper_(cryptography)