Skip to content

Prevent bcrypt from raising a ValueError and log #19078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Prevent bcrypt from raising a ValueError and log #19078

wants to merge 2 commits into from

Conversation

anoadragon453
Copy link
Member

@anoadragon453 anoadragon453 commented Oct 20, 2025
edited
Loading

Fixes #19063

bcrypt 5.0.0 raises a ValueError when a password's length is >72 bytes: pyca/bcrypt#1000 Whereas before it would silently truncate instead.

This truncation is fine, as a password of length 72 is sufficiently long that it will still take millions of years to brute force. The pepper being cut off as well is also fine - its designed to add bytes to short passwords.

We may want to think about transitioning away from bcrypt in future (to scrypt or argon2id), but for now this returns to existing behaviour without needing to downgrade bcrypt.

Question: should we backport this to a 1.140.1?

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct (run the linters)

@anoadragon453
Prevent bcrypt from raising a ValueError and log
b131a70 
bcrypt 5.0.0 raises a `ValueError` when a password's length is >72
bytes. Before it would silently truncate instead.

This truncation is fine, as a password of length 72 is sufficiently long
that it will still take millions of years to brute force. The pepper
being cut off as well is also fine - its design to lengthen short
passwords.

We may want to think about transitioning away from bcrypt in future (to
scrypt or argon2id), but for now this returns to existing behaviour
without needing to downgrade `bcrypt`.
@anoadragon453
newsfile
1162b7b
@anoadragon453 anoadragon453 marked this pull request as ready for review October 20, 2025 13:57
@anoadragon453 anoadragon453 requested a review from a team as a code owner October 20, 2025 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Regression: register_new_matrix_user fails on v1.140.0

1 participant

@anoadragon453