I want to allow any-sized passwords to be allowed to be submitted. I currently u

Question

I want to allow any-sized passwords to be allowed to be submitted. I currently use bcrypt as a key derivation function for passwords, however I have realized that it has a maximum input length of 72.

Because of this, I would like to sha512 passwords before passing them to bcrypt, allowing any-sized passwords to register, because it's my understanding that sha512 outputs 64 bytes.

Is this OK practice? I've heard that mixing and matching hashes, or "creating your own crypto" is bad practice, but this seems like a viable workaround to the hard limit.

Explanation / Answer

Hashing passwords with a decent, secure hash function before pushing them into bcrypt is a reasonable and secure way to keep all the goodness of bcrypt, and additionally support passwords of arbitrary size.

You still want to exercise caution about some practical details. In particular, many bcrypt implementations expect a password, i.e. a sequence of characters, terminating with the first byte of value 0x00. The output of SHA-512 is binary and thus may contain some bytes of value 0x00. For instance, 1/256th of all passwords will yield a hash value which begins with a byte of value 0x00, that a string-based bcrypt instance will understand as equivalent to an empty password. This is not good...

The solution is to use a deterministic bytes-to-characters encoding, e.g. Base64. Since this implies some size extension, SHA-512 will no longer be adequate (Base64 turns 64 bytes into 88 characters, more than the 72 limit of bcrypt). Therefore, use SHA-256: the 256-bit output (32 bytes) will be encoded by Base64 into 44 characters, and that will be fine with bcrypt.

(The 512-bit output size of SHA-512 is utter overkill anyway. SHA-256 is good enough.)

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.