From a6467619170d184cceb5e101ff162786b9eef6c1 Mon Sep 17 00:00:00 2001 From: "Teppei.F" <37261985+T3pp31@users.noreply.github.com> Date: Wed, 15 Jul 2026 19:38:38 +0900 Subject: [PATCH 1/2] docs: warn about bcrypt 72-byte limit for basic auth Add a warning to the Basic Authentication page explaining that SWS uses non-truncating bcrypt verification, so hashes created for passwords longer than 72 bytes with standard bcrypt tools (e.g. Apache htpasswd) will not match. Recommend ASCII-only passwords of 72 characters or fewer. Generated with [Devin](https://devin.ai) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- src/v2/features/basic-authentication.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/v2/features/basic-authentication.md b/src/v2/features/basic-authentication.md index 69ec36b..cac478c 100644 --- a/src/v2/features/basic-authentication.md +++ b/src/v2/features/basic-authentication.md @@ -14,6 +14,14 @@ Both are separated by a `:` (punctuation mark) character. > > Only the password must be encoded using the [`BCrypt`](https://en.wikipedia.org/wiki/Bcrypt) password-hashing function. +> [!WARNING] Bcrypt Password Length Limit +> +> SWS verifies bcrypt hashes using non-truncating verification. The `bcrypt` algorithm only considers the first **72 bytes** of a password. +> +> If you generated a bcrypt hash with a tool that truncates passwords (for example, the [Apache `htpasswd`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) tool or standard `bcrypt` utilities) for a password longer than 72 bytes, the same hash will **not** match in SWS. +> +> Make sure your password is **at most 72 bytes** long. We recommend using **ASCII-only passwords of 72 characters or fewer** to avoid encoding issues. + As an example, we will use the [Apache `htpasswd`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) tool to generate the `username:encrypted_password` pair. ```sh From ba6fe45765dda3bcb3e187685207513f12f0dd83 Mon Sep 17 00:00:00 2001 From: "Teppei.F" <37261985+T3pp31@users.noreply.github.com> Date: Wed, 15 Jul 2026 20:11:18 +0900 Subject: [PATCH 2/2] docs: clarify bcrypt password length handling --- src/v2/features/basic-authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/v2/features/basic-authentication.md b/src/v2/features/basic-authentication.md index cac478c..5d3cb95 100644 --- a/src/v2/features/basic-authentication.md +++ b/src/v2/features/basic-authentication.md @@ -16,9 +16,9 @@ Both are separated by a `:` (punctuation mark) character. > [!WARNING] Bcrypt Password Length Limit > -> SWS verifies bcrypt hashes using non-truncating verification. The `bcrypt` algorithm only considers the first **72 bytes** of a password. +> SWS rejects passwords longer than **72 bytes** before bcrypt verification. Hashes generated with standard `bcrypt` utilities or the [Apache `htpasswd`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) tool are compatible with SWS for passwords of 72 bytes or fewer. > -> If you generated a bcrypt hash with a tool that truncates passwords (for example, the [Apache `htpasswd`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) tool or standard `bcrypt` utilities) for a password longer than 72 bytes, the same hash will **not** match in SWS. +> Passwords longer than 72 bytes will **not** match in SWS, even if the hash was generated by a tool that truncates the password. > > Make sure your password is **at most 72 bytes** long. We recommend using **ASCII-only passwords of 72 characters or fewer** to avoid encoding issues.