Skip to content

docs: warn about bcrypt 72-byte limit for basic auth#7

Open
T3pp31 wants to merge 2 commits into
static-web-server:masterfrom
T3pp31:update-basic-auth-72-bytes
Open

docs: warn about bcrypt 72-byte limit for basic auth#7
T3pp31 wants to merge 2 commits into
static-web-server:masterfrom
T3pp31:update-basic-auth-72-bytes

Conversation

@T3pp31

@T3pp31 T3pp31 commented Jul 15, 2026

Copy link
Copy Markdown

Summary

  • Clarify that SWS rejects passwords longer than 72 bytes before bcrypt verification.
  • Document that hashes generated by standard bcrypt utilities or Apache htpasswd are compatible with SWS for passwords of 72 bytes or fewer, while longer passwords do not match.
  • Recommend ASCII-only passwords of 72 characters or fewer.

Related

  • Documents bcrypt password length handling for Basic Authentication.

Generated with Devin

T3pp31 and others added 2 commits July 15, 2026 19:38
Add a warning to the Basic Authentication page explaining that SWS
uses non-truncating bcrypt verification, so hashes created for
passwords longer than 72 bytes with standard bcrypt tools (e.g.
Apache htpasswd) will not match. Recommend ASCII-only passwords of
72 characters or fewer.

Generated with [Devin](https://devin.ai)

Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant