Password Hash Length Increased

jecarr · September 6, 2023, 4:16pm

Hey everyone,

On my application, I have a User model (extended with other fields) and the password field has not been overridden (so its max-length is the default of 128).

I’ve never had a problem with login pages but today I got an error on login where a value is too big. (Stacktrace ended with this line as the culprit as Django proceeded to update a hash on login).

In my User table, all existing password hashes were of length 119.
New logins are now producing hashes of length 140 (exceeding the 128 limit).

The only thing I have done differently since my last successful login was update Django from v4.2.1 to v4.2.5 (but it’s not a version issue as I reinstalled my previous version and got the same behaviour).

The salt-entropy is increased from the default but that change was 2 years ago and I’ve had successful logins all this time.

I know my fix is to override the password field and set a higher max-length but I’m curious over why the length-increase happened? If it’s possible, I want to prepare for future hash-length-increases (should I set the password max-length to be higher than my salt-entropy value?). This is probably down to my lack-of-knowledge on Django’s password management docs.

KenWhitesell · September 6, 2023, 4:29pm

Something else must be involved here, because in Django 4.2.5 the password field is still max_length 128.
See https://github.com/django/django/blob/cafe7266ee69f7e017ddbc0d440084ace559b04b/django/contrib/auth/base_user.py#L59

If you can reproduce this using a minimal example and only system-provided code, it would be worth submitting an issue for it.

jecarr · September 6, 2023, 4:38pm

Thanks for the quick reply!

Is there a correlation between what I set as the salt-entropy and what should be the password max-length? (Default salt-entropy is 128 in BasePasswordHasher which matches the default password length)

If not, yes, I will keep in mind something in my code/environment could be at play here and will consider seeing if I can reproduce this in a smaller example.

KenWhitesell · September 6, 2023, 4:59pm

Not quite. The salt_entropy variable references a number of bits, not characters. (See https://github.com/django/django/blob/b8b2f7451201f3ff60891b6ce55f177400700d7a/django/contrib/auth/hashers.py#L214)

Also see How Django stores passwords

But yes, since the salt is included in the hashed password field, a longer salt is going to lengthen the overall size of the password.

In one of my current projects, the 4 components of the password are of lengths 13, 6, 22 (salt), and 44 (pbkdf2_sha256) → total 85 characters.

jecarr · September 6, 2023, 5:07pm

Oh ok! Thanks so much for the links and the example.

I’ll further investigate my code/environment to see if I can conclude anything.

jecarr · September 11, 2023, 5:44pm

Solved! I debugged the Argon2PasswordHasher in Django and my local environment had an old version of the argon2-cffi package used

and I had upgraded my argon2-cffi package alongside Django since my last successful login.

By upgrading the argon2-cffi package, the hash-length doubled (from 16 to 32).

Topic		Replies	Views
Test for Password Max length fails with Custom User model Using Django	4	2678	February 14, 2021
Problem with User.username property's maxlength Using the ORM	10	44	November 6, 2024
Declare a model field the same as Django's password Using Django	1	2887	November 21, 2020
Stop increasing default PBKDF2 iteration count Django Internals	8	1506	May 3, 2024
value too long for type character varying Mystery Errors	1	1022	February 8, 2022

Password Hash Length Increased

Related topics