BCryptPasswordEncoder 的密码长度限制是否超过 72 个字符? [英] Is BCryptPasswordEncoder's password length limit more than 72 characters?

问题描述

我看到一个帖子说 bcrypt 有 72 个字符的限制. 所以我测试了 Spring security 的 BCryptPasswordEncoder 看看会发生什么.我尝试了 1000 多个长度，它正常工作.甚至连警告日志都没有.

I saw a post that bcrypt has 72 characters limit. So I tested Spring security's BCryptPasswordEncoder to see what will happen. I tried over 1000 length and it worked normally. Not even a warning log was out.

我尝试了 JavaDoc 和在线文档，但找不到有关输入长度限制的信息.

I tried JavaDoc and online docs but couldn't find about input length limitation.

BCryptPasswordEncoder 的密码长度限制是否超过 72 个字符?如果是这样，我可以在我的网络应用程序中使用它吗?

Is BCryptPasswordEncoder's password length limit more than 72 characters? If so, can I use this to my web applications?

推荐答案

BCryptPasswordEncoder 似乎在没有任何警告的情况下裁剪密码.

It seems BCryptPasswordEncoder crops password without any warning.

我尝试使用 BCrypt 而不是 BCryptPasswordEncoder 像这样.

I tried with BCrypt instead of BCryptPasswordEncoder like this.

@Test
public void testBcrypt() throws Exception {
    final String pw1_a71 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
    final String pw2 = pw1_a71 + "b";
    final String pw3 = pw2 + "b";
    final String pw4 = "b" + pw2;

    final String gensalt = BCrypt.gensalt();
    for (final String pw : Arrays.asList(pw1_a71, pw2, pw3, pw4)) {
        System.out.println(BCrypt.hashpw(pw, gensalt));
    }
}

输出:

$2a$10$9S6TbAreOnBH1ZCdZ.G0WOBxiIEizo92CNeFFBlcg1bxyGa9mMgEu
$2a$10$9S6TbAreOnBH1ZCdZ.G0WO4Pm8wq3zRnVR6szbZynp8DHOq3XCwoW
$2a$10$9S6TbAreOnBH1ZCdZ.G0WO4Pm8wq3zRnVR6szbZynp8DHOq3XCwoW
$2a$10$9S6TbAreOnBH1ZCdZ.G0WOCC3kvOwtnzVpiEmOWvIA6WIKzxi7lhy

这篇关于BCryptPasswordEncoder 的密码长度限制是否超过 72 个字符?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！