After setting a password in Auth0 with a length greater than 72 characters, if you try to login using that password but omit or change the characters after the 72nd character, the password will still be accepted. Was able to reproduce this bug on multiple tenants.
This was something that came up during testing. I’m aware that a password with good entropy has no need to be longer than 25 characters but thought this was odd behavior. Any ideas why this happening?
Thanks
Hi @kenneth.myers,
welcome to the community.
I’ll report this internally. Thanks for reporting.
(No idea why, maybe some truncation is happening at some point, or some field length limitation.)
Bcrypts, which is the hashing algorithm Auth0 uses, truncates after 72 chars (see Wiki page for details). So, it’s by design in a way, however, I agree that the UI should have a proper field limitation in place and the API response when setting passwords longer than 72 chars should reflect that accordingly. I’ve reported this internally.
Great thanks! Appreciate the quick reply!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.