Do scrypt implementations have a maximum length for input(password)?

Asked 5/8, 2014 at 6:43 Answered 3/10, 2016 at 15:54

Specifically this. I know most bcrypt implementations are around 50 characters for, but I'm pretty certain that's not the case with scrypt.

Pronation answered 5/8, 2014 at 6:43 Comment(0)

From a developer of the successor of scrypt:

...question that is related to both scrypt and yescrypt. Is there a maximum input length for passwords?

For the likely purposes of your question, no, there's no such length limit. (Of course, in practice computers have limited memory and integer variables in C have limited range, so there is some sort of large limit.)

I recommend that you do have some sane limit on the length of username and password inputs in your web app anyway. Something that would never get in the way of reasonable usage, but would prevent obviously erroneous (maybe malicious) inputs from getting to deeper layers.

I know bcrypt has a limit of 71 characters.

It's 72 for bcrypt.

Alexander

Pronation answered 19/1, 2015 at 23:23 Comment(0)

It should be noted that scrypt is basically PBKDF2 for the bulk of it's work.

Basic use of PBKDF2 is:

bytes = PBKDF2(
      password, 
      salt, 
      numberOfBytes);

Scrypt is a glorified way of generating the salt fed to PBKDF2:

bytes = PBKDF2(
      password, 
      ScryptMixingStuff(password, originalSalt, N, r, p),
      numberOfBytes);

So the question becomes: What is the password length limitation in PBKDF2.

There is no practical password length limitation of PBKDF2. And so there is no practical password length limitation of scrypt.

Snood answered 3/10, 2016 at 15:54 Comment(0)

Recommended topics

Hot tags