Hacker News new | ask | show | jobs
by nopal 4653 days ago
I think that method was just added in response to this vulnerability:

https://github.com/django/django/commit/aae5a96d5754ad34e48b...
1 comments
davis_m 4653 days ago
Yeah, that is what I am saying. They keep saying that they limited the length of passwords to 4096 bytes, but they actually limited them to 4096 characters.
link
masklinn 4653 days ago
Nope. MAXIMUM_PASSWORD_LENGTH is used both as the limit of CharField and as the limit of KDFs. CharField is unicode[0] and thus work on code units (codepoints in Python 3.3, depends whether the build is narrow or wide in previous versions) but KDFs work on bytes.

You can see that clearly in the test suite, where the input of KDFs are byte objects:

        self.assertRaises(
        ValueError,
        make_password,
        b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
        "seasalt",
        "md5",
    )
because the number of code units is at most the number of input bytes (with fixed-width 8-bit encodings), KDFs will be the limiting factor and the limit is thus 4096 bytes.

[0] https://docs.djangoproject.com/en/dev/ref/unicode/#models

> model fields that are character based (CharField, TextField, URLField, etc) will contain Unicode

link