Skip to content

Fix bcrypt hashing failure for passwords longer than 72 bytes#10

Open
ayushthoren wants to merge 1 commit intoProtonVPN:stablefrom
ayushthoren:stable
Open

Fix bcrypt hashing failure for passwords longer than 72 bytes#10
ayushthoren wants to merge 1 commit intoProtonVPN:stablefrom
ayushthoren:stable

Conversation

@ayushthoren
Copy link

@ayushthoren ayushthoren commented Nov 14, 2025

This PR fixes password hashing failures caused by bcrypt’s hard limit of 72 bytes on input passwords.

Currently, the full password is passed directly into bcrypt.hashpw(), which results in the error:
ValueError: password cannot be longer than 72 bytes, truncate manually if necessary

These changes manually truncate the password to avoid this issue.

@ayushthoren ayushthoren mentioned this pull request Nov 14, 2025
Closed
3 tasks
@UrsusMortiferum
Copy link

UrsusMortiferum commented Nov 14, 2025
edited
Loading

@ayushthoren, we shouldn't be silently truncating passwords. Disabling a test would be a better approach.

There was already a backlash around it few years ago when people discover that ProtonMail is silently cutting their passwords - reddit post - ProtonMail cuts (silently) passwords at 73 characters

@ayushthoren
Copy link
Author

ayushthoren commented Nov 14, 2025

Ah, you're right... I think I needed to look at this from the perspective of fixing the test, not the code, since it seems to be expected that the test will fail. Because of this, I think rather than disabling the test entirely, it might be better to switch the Exception from None to ValueError in this case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ayushthoren @UrsusMortiferum