|
|
|
|
|
|
by xmprt
492 days ago
|
|
|
To be fair, I can't think of a single context where I would want to truncate a password before hashing so interoperability with other systems isn't worth letting by a dangerous edge case in my opinion. I'd rather have the system break for the handful of users with a 72+ char password than overlook a potential critical security issue. |
|
|
I would agree that it should not just be called “bcrypt” though, likely no function of this module should be, they should either explain their risks or clarify their safety.
Or possibly only a version which fails if passed more than 72 bytes or any nul.