Does bcrypt have a maximum password length?
Yes, bcrypt has a maximum password length. The original article contains this:
the key argument is a secret encryption key, which can be a user-chosen password of up to 56 bytes (including a terminating zero byte when the key is an ASCII string).
So one could infer a maximum input password length of 55 characters (not counting the terminating zero). ASCII characters, mind you: a generic Unicode character, when encoded in UTF-8, can use up to four bytes; and the visual concept of a glyph may consist of an unbounded number of Unicode characters. You will save a lot of worries if you restrict your passwords to plain ASCII.
However, there is a considerable amount of confusion on the actual limit. Some people believe that the "56 bytes" limit includes a 4-byte salt, leading to a lower limit of 51 characters. Other people point out that the algorithm, internally, manages things as 18 32-bit words, for a total of 72 bytes, so you could go to 71 characters (or even 72 if you don't manage strings with a terminating zero).
Actual implementations will have a limit which depends on what the implementer believed and enforced in all of the above. All decent implementations will allow you at least 50 characters. Beyond that, support is not guaranteed. If you need to support passwords longer than 50 characters, you can add a preliminary hashing step, as discussed in this question (but, of course, this means that you no longer compute "the" bcrypt, but a local variant, so interoperability goes down the drain).
Edit: it has been pointed out to me that although, from a cryptographer's point of view, the article is the ultimate reference, this is not necessarily how the designers thought about it. The "original" implementation could process up to 72 bytes. Depending on your stance on formalism, you may claim that the implementation is right and the article is wrong. Anyway, such is the current state of things that my advice remains valid: if you keep under 50 characters, you will be fine everywhere. (Of course it would have been better if the algorithm did not have a length limitation in the first place.)
tl;lr: BCrypt is limited to 72 bytes, not 56.
Background
BCrypt is limited to 72 bytes. The original paper also mentions the use of a null terminator. This means you would generally limited to:
- 71 characters + 1 byte null terminator
But the BCrypt 2a revision specifies the use of UTF-8 encoding (while the original whitepaper refers to ASCII). When using UTF-8, one character doesn't mean one byte, e.g.:
- Noël is four characters, but five bytes (
N
o
e
¨
l
) - is one character, but four bytes (
F0
9F
92
A9
) - M̡̢̛̖̗̘̙̜̝̞̟̠̀́̂̃̄̅̆̇̉̊̋̌̍̎̏̐̑̒̓̔̕̚ is one character, but 74 bytes (with the null terminator included)
So this throws a wrench into how many "characters" you're allowed.
Where does 55 or 56 come from then?
The original whitepaper mentions a maximum key length of 56 bytes:
Finally, the key argument is a secret encryption key, which can be a user-chosen password of up to 56 bytes (including a terminating zero byte when the key is an ASCII string).
This was a misunderstanding based on the Blowfish maximum recommended key size of 448 bits. (448 / 8 = 56 bytes). The Blowfish encryption algorithm, which bcrypt is derived from, has a maximum key size of 448 bits. From Bruce Schneier's original 1993 paper Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish):
The block size is 64 bits, and the key can be any length up to 448 bits.
On the other hand, the bcrypt algorithm can (and does), support up to 72 bytes for the key, e.g.:
- 71×8-bit character + 1× 8-bit null terminator
The 72-byte limit comes from the Blowfish P-Box size, which is 18 DWORDs (18×4 bytes = 72 bytes). From the original bcrypt whitepaper:
Blowfish is a 64-bit block cipher, structured as a 16-round Feistel network [14]. It uses 18 32-bit subkeys, P1, ..., P18, which it derives from the encryption key. The subkeys are known collectively as the P-Array
The canonical OpenBSD implementation will truncate any key that exceeds 72 bytes.
This means that if your UTF8 string that exceeds 72 bytes, it will be truncated to 72 bytes.
Warning:
- this truncation will remove the null terminator
- this truncation will even happen mid-character (for a multi-code point character)
For example, if your passwords ends with:
"…stapler"
the UTF-8 encoding for BCrypt will be:
══╤══╤═══╤═══╤═══╤═══╤═══╤═════╤═════╤═════╗
... 63│64│ 65│ 66│ 67│ 68│ 69│ 70 │ 71 │ 72 ║ 73 74
s │ t│ a │ p │ l │ e │ r │ 0xF0│ 0x9F│ 0x92║ 0xA9 \0
══╧══╧═══╧═══╧═══╧═══╧═══╧═════╧═════╧═════╝
|
cutoff
This means that in the canonical OpenBSD implementation, the bytes are cut off inside the middle of a character (even if it leaves you an invalid utf-8 byte sequence):
══╤══╤═══╤═══╤═══╤═══╤═══╤═════╤═════╤═════╗
... 63│64│ 65│ 66│ 67│ 68│ 69│ 70 │ 71 │ 72 ║
s │ t│ a │ p │ l │ e │ r │ 0xF0│ 0x9F│ 0x92║
══╧══╧═══╧═══╧═══╧═══╧═══╧═════╧═════╧═════╝
Get rid of maximum length
In recent years, it has been recognized as a good idea that a password hashing algorithm shouldn't have any maximum limit. But there's a problem with allowing a client to use an unlimited password:
- it introduces a denial of service attack by someone submitting a multi-gigabyte password.
This is why it's now becoming common to pre-hash a user's password with something like SHA2-256. The resulting base-64 encoded string, e.g.:
n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=
will only ever be 44 ASCII characters (45 with the null terminator).
This is the approach taken by DropBox, and is included in bcrypt.net:
BCrypt.EnhancedHashPassword("correct battery horse staple Noël M̡̢̛̖̗̘̙̜̝̞̟̠̀́̂̃̄̅̆̇̉̊̋̌̍̎̏̐̑̒̓̔̕̚");
This means that your expensive hashing algorithm won't cause you a denial of service.
Yes, BCrypt has an upper limit of 72 characters. It's a limitation by the Blowfish cipher itself. One way to work around it is by using SHA-256 first and then BCrypt the result. In your case it would be something like
hashpw(sha256('pass'), salt)