diff --git a/src/v2/features/basic-authentication.md b/src/v2/features/basic-authentication.md index 69ec36b..5d3cb95 100644 --- a/src/v2/features/basic-authentication.md +++ b/src/v2/features/basic-authentication.md @@ -14,6 +14,14 @@ Both are separated by a `:` (punctuation mark) character. > > Only the password must be encoded using the [`BCrypt`](https://en.wikipedia.org/wiki/Bcrypt) password-hashing function. +> [!WARNING] Bcrypt Password Length Limit +> +> SWS rejects passwords longer than **72 bytes** before bcrypt verification. Hashes generated with standard `bcrypt` utilities or the [Apache `htpasswd`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) tool are compatible with SWS for passwords of 72 bytes or fewer. +> +> Passwords longer than 72 bytes will **not** match in SWS, even if the hash was generated by a tool that truncates the password. +> +> Make sure your password is **at most 72 bytes** long. We recommend using **ASCII-only passwords of 72 characters or fewer** to avoid encoding issues. + As an example, we will use the [Apache `htpasswd`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) tool to generate the `username:encrypted_password` pair. ```sh