On Mon, Dec 08, 2025 at 10:33:17AM +0100, Christoph Berg wrote:
Re: To Debian Bug Tracking System
from passlib.hash import bcrypt
bcrypt.verify('xxx',
'$2y$10$KwfCiMkON5ByhhzAtwUYRuegt7IJpm34JW4GN2FOVue6VOg7yJp6q')
ValueError: password cannot be longer than 72 bytes, truncate manually if
necessary (e.g. my_password[:72])
This is fixed by the new python-passlib in unstable (uploaded
yesterday). I guess there should be a Breaks in python-bcrypt for that.
Sure - I'll add one.
For the record, this was an intentional change in python-bcrypt,
described in its README:
* Passing ``hashpw`` a password longer than 72 bytes now raises a
``ValueError``. Previously the password was silently truncated, following the
behavior of the original OpenBSD ``bcrypt`` implementation.
As described in https://github.com/notypecheck/passlib/pull/21 which
fixed this in passlib, some implementations auto-truncated while some
had a wraparound bug (see
http://www.openwall.com/lists/oss-security/2012/01/02/4). So raising an
exception and making the caller figure out what to do seems fairly
reasonable to me.
--
Colin Watson (he/him) [[email protected]]
