[xx_ns]

bcrypt, one of the more popular password hashing algorithms out there, allows the password to be up to 72 characters in length. Any characters beyond that 72 limit are ignored and the password is silently truncated (!!!). It's actually a good method of testing whether a site uses bcrypt or not. If you set a password longer than 72 characters, but can sign in using just the 72 characters of your password, they're in all likelihood using bcrypt.

[integralid]

Yeah, that's why bcrypt is broken and shouldn't be used today. It had a good run, but nowadays we have better options like scrypt or argon2.

[daneel_w]

It's not broken. It's just potentially less helpful when it comes to protecting poor guessable passwords. bcrypt isn't the problem, weak password policies/habits are. Like bcrypt, argon2 is just a bandaid, though a tiny bit thicker. It won't save you from absurdly short passwords or silly "correct horse battery staple" advice, and it's no better than bcrypt at protecting proper unguessable passwords.

Also, only developers who have no idea know what they're doing will feed plain-text passwords to their hasher. You should be peppering and pre-digesting the passwords, and at that point bcrypt's 72 character input limit doesn't matter.

[kbolino]

Bcrypt alone is unfit for purpose. Argon2 does not need its input to be predigested.

It's easy for somebody who knows this to fix bcrypt, but silently truncating the input was an unforced error. The fact that it looks like and was often sold as the right tool for the job but isn't has led to real-world vulnerabilities.

It's a classic example of crypto people not anticipating how things actually get used.

(Otherwise, though, I agree)

[daneel_w]

Peppering is for protecting self-contained password hashes in case they leak. It's a secondary salt meant to be situated 1) external to the hash, and 2) external to the storage component the hashes reside in (i.e. not in the database you store accounts and hashes in). The method has nothing to do with trying to fix anything with bcrypt. You should be peppering your input even if you use Argon2.

[kbolino]

Right, but peppering was not part of my comment. You can't always pepper, and there are different ways to do it. It's (mostly) orthogonal to the matter.

You do not have to do any transformations on the input when using Argon2, while you must transform the input before using bcrypt. This was, again, an unnecessary and dangerous (careless) design choice.

[daneel_w]

I don't understand your responses here. Clearly you are not familiar with what problem peppering solves, or why it's a recommended practice, no matter what self-contained password hashing you use. bcrypt, scrypt, Argon2; they are all subject to the same recommendation because they all store their salt together with the digest. You can always use a pepper, you should always use a pepper, and there's only one appropriate way to do it.

[efilife]

Why is the "correct horse battery staple" advice silly?

[daneel_w]

Using memorable passphrases online is always a bad option because they're easily broken with a dictionary attack, unless you bump the number of words to the point where it becomes hard to remember the phrase. Use long strings of random characters instead, and contain the use of passphrases to unlocking your password manager.

[kbolino]

To wit, each word drawn from a 10,000-word dictionary adds about 13 bits of entropy. At 4 words, you have (a little over) 52 bits of entropy, which is roughly equivalent to a 9-character alphanumeric (lower and upper) password. The going recommendation is 14 such characters, which would mean you'd need about 7 words.

[daneel_w]

The average person will create a passphrase from their personal dictionary of most-used words, amounting to a fraction of that. An attacker will start in the same way. Another problem with passphrases is that you'll have a hard time remembering more than a couple of them, and which phrase goes to what website.