Is Rails Devise gem truncating passwords?
Question
I am testing a web app against OWASP standards:
2.1.3 Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space
We are using Rails, along with Devise gem for authentication. While testing whether we meet the requirements of 2.1.3, I noticed that longer passwords are truncated.
I can set the following password: NVjEuRjiFcDGYfhm9kh9pTxUvHwKyTpNMhXqwDBHoaU3cHKv2guZJTwrUZyNN9GiJ4B8TjtiWpCWZXVsRoXmhXKEtzqJr7qnngQlfldlfdlE (108 chars)
I can sign in with the above password fine. I can also sign in with this truncated version of it, though:
NVjEuRjiFcDGYfhm9kh9pTxUvHwKyTpNMhXqwDBHoaU3cHKv2guZJTwrUZyNN9GiJ4B8Tjti
Beyond those 72 chars, I can add or remove characters, or just lop them all off, and I can still sign in. I only need the first 72 chars to be correct, the rest appears to get ignored. I haven't checked yet, but different characters might require more storage, and could shorten the length required for authentication.
Looking in the db, I can see the field is varchar(128) - 128 being the maximum length, going by OWASP:
2.1.2 Verify that passwords 64 characters or longer are permitted but may be no longer than 128 characters.
I assumed the user entered password should be up to 128 chars, but it seems the field only stores 128 chars, and 29 of them are being used by Devise for the salt. How Devise Encrypts Passwords
I have only a vague understanding of how hashing/encrypting work - I understand the encrypted password length is not necessarily the same as the user entered password length. But since my password is being truncated, it seems like Devise didn't leave enough room for a user entered password to be 128 chars.
Am I mis-reading the OWASP standards, or is this a flaw in Devise, or am I missing something?
1 answers
solution1
0 2022-09-16 14:37:53
As the article you linked to states, Devise defaults to using bcrypt to encrypt your password. It's the bcrypt algorithm that has the limitation. See:
https://en.wikipedia.org/wiki/Bcrypt#Maximum_password_length
https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
I think you could say this is flaw in that devise should handle this case better. You could also see it as a known limitation of the default devise condfiguration.
If you are going to use devise with bcrypt, I think you need to validate that passwords are within this limit. It's not uncommon to see this kind of limit in web registration forms. In the devise initializer, I see an option to change the encryption algorithm. I haven't done it myself, but I think if you wanted to exceed the limitations of bcrypt, the way to do it would be to pick a different algorithm.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.