[taurknaut]

> but they wanted a hash function with unlimited input size

I'm kind of baffled how they came to use bcrypt for this. Bcrypt is not exactly subtle about only supporting 72 bytes of input. And this is at a company who provides auth as a service; I've got to imagine they had multiple engineers who knew this (I guess not working on that code). Hell, I know this and I've only used bcrypt twice and I'm nowhere near a security/crypto guy.

[bufferoverflow]

BCrypt should loudly fail if more than 72 bytes are sent to its input.

[taurknaut]

Maybe it should. Discarding the rest of the bytes works fine for passwords, though. I guess that's just not sufficient.

[pclmulqdq]

In my book, discarding entropy is a generally dumb thing to do. Passwords are usually under 72 chars, but a lot of people use concatenations of usernames and passwords in their hash to get guaranteed domain separation between users.