|
|
|
|
|
|
by tom1337
233 days ago
|
|
|
Also argon doesn't care about input length compared to bcrypt which only ever compares the first 72 bytes of a hash.
Okta actually fell victim to this because they concatenated userid + username + password. If userid + password were over 72 bytes then the password would never be checked thus you could login with userid + username. https://trust.okta.com/security-advisories/okta-ad-ldap-dele... |
|
|