docs: note about truncation at 72 bytes

riverrun · riverrun · commit fa1de6c34910 · 2025-05-19T21:18:17.000+07:00
diff --git a/lib/bcrypt.ex b/lib/bcrypt.ex
@@ -24,23 +24,39 @@ defmodule Bcrypt do
   be configured to remain slow and resistant to brute-force attacks even as
   computational power increases.
 
+  ### Warning {: .warning}
+
+  Note that bcrypt only hashes the first 72 bytes of the input string.
+  If you are using bcrypt to hash data that is secret, such as passwords,
+  this will not cause any issues. However, if the string you are hashing
+  contains data that is not secret, then the fact that only the first 72 bytes
+  are hashed might lead to security issues.
+
+  See https://github.com/riverrun/bcrypt_elixir/issues/51 for more information.
+
   ## Bcrypt versions
 
-  This bcrypt implementation is based on the latest OpenBSD version, which
-  fixed a small issue that affected some passwords longer than 72 characters.
-  By default, it produces hashes with the prefix `$2b$`, and it can check
-  hashes with either the `$2b$` prefix or the older `$2a$` prefix.
-  It is also possible to generate hashes with the `$2a$` prefix by running
-  the following command:
+  This bcrypt implementation is based on the latest OpenBSD version, which uses
+  the prefix `$2b$`.
 
-      Bcrypt.Base.hash_password("hard to guess", Bcrypt.Base.gen_salt(12, true))
+  The `$2b$` prefix was used to replace the previous `$2a$` prefix in 2014 when
+  a bug affecting passwords longer than 255 bytes was discovered.
+  See https://undeadly.org/cgi?action=article&sid=20140224132743 for details.
 
-  This option should only be used if you need to generate hashes that are
-  then checked by older libraries.
+  For password verification, hashes with either the `$2b$` prefix or the older
+  `$2a$` prefix are supported.
+
+  This is not recommended, but to create hashes that use the older `$2a$` prefix,
+  you can do so by running the following command:
+
+      Bcrypt.Base.hash_password("hard to guess", Bcrypt.Base.gen_salt(12, true))
 
-  The `$2y$` prefix is not supported. For advice on how to use hashes with the
-  `$2y$` prefix, see [this issue](https://github.com/riverrun/comeonin/issues/103).
-  Hash the password with a salt which is randomly generated.
+  The `$2y$` prefix is not supported, as this prefix was introduced by crypt_blowfish,
+  a PHP implementation of bcrypt, and it is not supported by OpenBSD. However,
+  if you need to support the `$2y$` prefix, note that, according to https://www.openwall.com/crypt/,
+  "the $2b$ prefix ... behaves exactly the same as crypt_blowfish's $2y$",
+  and so you could use this library for password verification after replacing
+  the `$2y$` prefix of the hashes with `$2b$`.
   """
 
   use Comeonin
diff --git a/mix.exs b/mix.exs
@@ -2,7 +2,7 @@ defmodule BcryptElixir.Mixfile do
   use Mix.Project
 
   @source_url "https://github.com/riverrun/bcrypt_elixir"
-  @version "3.3.1"
+  @version "3.3.2"
   @description "Bcrypt password hashing algorithm for Elixir"
 
   def project do
diff --git a/mix.lock b/mix.lock
@@ -2,10 +2,10 @@
   "comeonin": {:hex, :comeonin, "5.5.1", "5113e5f3800799787de08a6e0db307133850e635d34e9fab23c70b6501669510", [:mix], [], "hexpm", "65aac8f19938145377cee73973f192c5645873dcf550a8a6b18187d17c13ccdb"},
   "dialyxir": {:hex, :dialyxir, "1.4.5", "ca1571ac18e0f88d4ab245f0b60fa31ff1b12cbae2b11bd25d207f865e8ae78a", [:mix], [{:erlex, ">= 0.2.7", [hex: :erlex, repo: "hexpm", optional: false]}], "hexpm", "b0fb08bb8107c750db5c0b324fa2df5ceaa0f9307690ee3c1f6ba5b9eb5d35c3"},
   "earmark": {:hex, :earmark, "1.3.2", "b840562ea3d67795ffbb5bd88940b1bed0ed9fa32834915125ea7d02e35888a5", [:mix], [], "hexpm"},
-  "earmark_parser": {:hex, :earmark_parser, "1.4.43", "34b2f401fe473080e39ff2b90feb8ddfeef7639f8ee0bbf71bb41911831d77c5", [:mix], [], "hexpm", "970a3cd19503f5e8e527a190662be2cee5d98eed1ff72ed9b3d1a3d466692de8"},
+  "earmark_parser": {:hex, :earmark_parser, "1.4.44", "f20830dd6b5c77afe2b063777ddbbff09f9759396500cdbe7523efd58d7a339c", [:mix], [], "hexpm", "4778ac752b4701a5599215f7030989c989ffdc4f6df457c5f36938cc2d2a2750"},
   "elixir_make": {:hex, :elixir_make, "0.9.0", "6484b3cd8c0cee58f09f05ecaf1a140a8c97670671a6a0e7ab4dc326c3109726", [:mix], [], "hexpm", "db23d4fd8b757462ad02f8aa73431a426fe6671c80b200d9710caf3d1dd0ffdb"},
   "erlex": {:hex, :erlex, "0.2.7", "810e8725f96ab74d17aac676e748627a07bc87eb950d2b83acd29dc047a30595", [:mix], [], "hexpm", "3ed95f79d1a844c3f6bf0cea61e0d5612a42ce56da9c03f01df538685365efb0"},
-  "ex_doc": {:hex, :ex_doc, "0.36.1", "4197d034f93e0b89ec79fac56e226107824adcce8d2dd0a26f5ed3a95efc36b1", [:mix], [{:earmark_parser, "~> 1.4.42", [hex: :earmark_parser, repo: "hexpm", optional: false]}, {:makeup_c, ">= 0.1.0", [hex: :makeup_c, repo: "hexpm", optional: true]}, {:makeup_elixir, "~> 0.14 or ~> 1.0", [hex: :makeup_elixir, repo: "hexpm", optional: false]}, {:makeup_erlang, "~> 0.1 or ~> 1.0", [hex: :makeup_erlang, repo: "hexpm", optional: false]}, {:makeup_html, ">= 0.1.0", [hex: :makeup_html, repo: "hexpm", optional: true]}], "hexpm", "d7d26a7cf965dacadcd48f9fa7b5953d7d0cfa3b44fa7a65514427da44eafd89"},
+  "ex_doc": {:hex, :ex_doc, "0.38.1", "bae0a0bd5b5925b1caef4987e3470902d072d03347114ffe03a55dbe206dd4c2", [:mix], [{:earmark_parser, "~> 1.4.44", [hex: :earmark_parser, repo: "hexpm", optional: false]}, {:makeup_c, ">= 0.1.0", [hex: :makeup_c, repo: "hexpm", optional: true]}, {:makeup_elixir, "~> 0.14 or ~> 1.0", [hex: :makeup_elixir, repo: "hexpm", optional: false]}, {:makeup_erlang, "~> 0.1 or ~> 1.0", [hex: :makeup_erlang, repo: "hexpm", optional: false]}, {:makeup_html, ">= 0.1.0", [hex: :makeup_html, repo: "hexpm", optional: true]}], "hexpm", "754636236d191b895e1e4de2ebb504c057fe1995fdfdd92e9d75c4b05633008b"},
   "makeup": {:hex, :makeup, "1.2.1", "e90ac1c65589ef354378def3ba19d401e739ee7ee06fb47f94c687016e3713d1", [:mix], [{:nimble_parsec, "~> 1.4", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "d36484867b0bae0fea568d10131197a4c2e47056a6fbe84922bf6ba71c8d17ce"},
   "makeup_elixir": {:hex, :makeup_elixir, "1.0.1", "e928a4f984e795e41e3abd27bfc09f51db16ab8ba1aebdba2b3a575437efafc2", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}, {:nimble_parsec, "~> 1.2.3 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "7284900d412a3e5cfd97fdaed4f5ed389b8f2b4cb49efc0eb3bd10e2febf9507"},
   "makeup_erlang": {:hex, :makeup_erlang, "1.0.2", "03e1804074b3aa64d5fad7aa64601ed0fb395337b982d9bcf04029d68d51b6a7", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "af33ff7ef368d5893e4a267933e7744e46ce3cf1f61e2dccf53a111ed3aa3727"},
