Enforce BCrypt password length

jgrandja · jgrandja · commit 46f0dc6dfc84 · 2025-03-17T13:23:27.000-04:00
diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@@ -611,6 +611,9 @@ private static String hashpw(byte passwordb[], String salt, boolean for_check) {
 		int rounds, off;
 		StringBuilder rs = new StringBuilder();
 
+		if (passwordb.length > 72) {
+			throw new IllegalArgumentException("password cannot be more than 72 bytes");
+		}
 		if (salt == null) {
 			throw new IllegalArgumentException("salt cannot be null");
 		}
diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
@@ -222,4 +222,14 @@ public void checkWhenNoRoundsThenTrue() {
 		assertThat(encoder.matches("wrong", "$2a$00$9N8N35BVs5TLqGL3pspAte5OWWA2a2aZIs.EGp7At7txYakFERMue")).isFalse();
 	}
 
+	@Test
+	public void enforcePasswordLength() {
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+		String password72chars = "123456789012345678901234567890123456789012345678901234567890123456789012";
+		assertThat(encoder.matches(password72chars, encoder.encode(password72chars))).isTrue();
+		String password73chars = password72chars.concat("a");
+		assertThatIllegalArgumentException()
+			.isThrownBy(() -> encoder.matches(password73chars, encoder.encode(password73chars)));
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -611,6 +611,9 @@ private static String hashpw(byte passwordb[], String salt, boolean for_check) {`
`611`	`611`	`int rounds, off;`
`612`	`612`	`StringBuilder rs = new StringBuilder();`
`613`	`613`
	`614`	`+ if (passwordb.length > 72) {`
	`615`	`+ throw new IllegalArgumentException("password cannot be more than 72 bytes");`
	`616`	`+ }`
`614`	`617`	`if (salt == null) {`
`615`	`618`	`throw new IllegalArgumentException("salt cannot be null");`
`616`	`619`	`}`
Original file line number	Diff line number	Diff line change
`@@ -222,4 +222,14 @@ public void checkWhenNoRoundsThenTrue() {`
`222`	`222`	`assertThat(encoder.matches("wrong", "$2a$00$9N8N35BVs5TLqGL3pspAte5OWWA2a2aZIs.EGp7At7txYakFERMue")).isFalse();`
`223`	`223`	`}`
`224`	`224`
	`225`	`+ @Test`
	`226`	`+ public void enforcePasswordLength() {`
	`227`	`+ BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();`
	`228`	`+ String password72chars = "123456789012345678901234567890123456789012345678901234567890123456789012";`
	`229`	`+ assertThat(encoder.matches(password72chars, encoder.encode(password72chars))).isTrue();`
	`230`	`+ String password73chars = password72chars.concat("a");`
	`231`	`+ assertThatIllegalArgumentException()`
	`232`	`+ .isThrownBy(() -> encoder.matches(password73chars, encoder.encode(password73chars)));`
	`233`	`+ }`
	`234`	`+`
`225`	`235`	`}`