Giters

BcryptNet / bcrypt.net

BCrypt.Net - Bringing updates to the original bcrypt package

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Is there a limit to the password length?

Kritner opened this issue · comments

commented

I was just throwing together some "unit tests" to check my assumptions, and am getting unexpected behavior.

    public class BCryptAssumptionTests
    {
        const string Password = "my super neat password that's totally secure because it's super long and i don't think anyone would be able to guess it because it's so long, you know what i mean my dude?";
        const string PasswordHash = "$2a$10$v37CqgsS7FsN053FcBpon.ziY7I.lfoodH.6lIvkc9OhbTFrgG2ZO";

        [Fact]
        public void WhenGivenCorrectPasswordAndHash_ShouldReturnTrue()
        {
            var verifyResult = BCrypt.Net.BCrypt.Verify(Password, PasswordHash);

            verifyResult.Should().BeTrue();
        }

        [Fact]
        public void WhenGivenIncorrectPasswordAndHash_ShouldReturnFalse()
        {
            var mangledPassword = Password + "doots ";

            var verifyResult = BCrypt.Net.BCrypt.Verify(mangledPassword, PasswordHash);

            verifyResult.Should().BeFalse();
        }
    }

image

The test WhenGivenIncorrectPasswordAndHash_ShouldReturnFalse is failing because verifyResult is true, though the password being supplied is a different password than the one that was used to generate the hash. I've tried a few different mangledPassword values by appending to the end and am getting verifyResult of true with each one. If I instead prepend rather than append, I get an expected !verifyResult.

FWIW, after trimming about half the password I was using, I get the expected behavior, so I believe there is some limit to the length of password:

public class BCryptAssumptionTests
    {
        const string Password = "my super neat password that's totally secure because it's super long";
        const string PasswordHash = "$2a$11$vBzJ4Ewx28C127AG5x3kT.QCCS8ai0l4JLX3VOX3MzHRkF4/A5twy";

        [Fact]
        public void WhenGivenPassword_ShouldGetHashForPassword()
        {
            var hash = BCrypt.Net.BCrypt.HashPassword(Password);

            Assert.True(true);
        }

        [Fact]
        public void WhenGivenCorrectPasswordAndHash_ShouldReturnTrue()
        {
            var verifyResult = BCrypt.Net.BCrypt.Verify(Password, PasswordHash);

            verifyResult.Should().BeTrue();
        }

        [Fact]
        public void WhenGivenIncorrectPasswordAndHash_ShouldReturnFalse()
        {
            var mangledPassword = Password + "doots ";

            var verifyResult = BCrypt.Net.BCrypt.Verify(mangledPassword, PasswordHash);

            verifyResult.Should().BeFalse();
        }
    }

image

Apologies if this is already documented somewhere, but if it's not, or if it's unexpected behavior, here's an issue! :D

This is using .net 6, and here's the include from csproj:

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="BCrypt.Net-Next" Version="4.0.2" />
  </ItemGroup>

</Project>
commented

Nevermind, I see this has been addressed in #84