On my application, I have a User model (extended with other fields) and the password field has not been overridden (so its max-length is the default of 128).
I’ve never had a problem with login pages but today I got an error on login where a value is too big. (Stacktrace ended with this line as the culprit as Django proceeded to update a hash on login).
In my User table, all existing password hashes were of length 119.
New logins are now producing hashes of length 140 (exceeding the 128 limit).
The only thing I have done differently since my last successful login was update Django from v4.2.1 to v4.2.5 (but it’s not a version issue as I reinstalled my previous version and got the same behaviour).
The salt-entropy is increased from the default but that change was 2 years ago and I’ve had successful logins all this time.
I know my fix is to override the password field and set a higher max-length but I’m curious over why the length-increase happened? If it’s possible, I want to prepare for future hash-length-increases (should I set the password max-length to be higher than my salt-entropy value?). This is probably down to my lack-of-knowledge on Django’s password management docs.
Something else must be involved here, because in Django 4.2.5 the password field is still max_length 128.
If you can reproduce this using a minimal example and only system-provided code, it would be worth submitting an issue for it.
Thanks for the quick reply!
Is there a correlation between what I set as the salt-entropy and what should be the password max-length? (Default salt-entropy is 128 in BasePasswordHasher which matches the default password length)
If not, yes, I will keep in mind something in my code/environment could be at play here and will consider seeing if I can reproduce this in a smaller example.
Not quite. The
salt_entropy variable references a number of bits, not characters. (See https://github.com/django/django/blob/b8b2f7451201f3ff60891b6ce55f177400700d7a/django/contrib/auth/hashers.py#L214)
Also see How Django stores passwords
But yes, since the salt is included in the hashed password field, a longer salt is going to lengthen the overall size of the password.
In one of my current projects, the 4 components of the password are of lengths 13, 6, 22 (salt), and 44 (pbkdf2_sha256) → total 85 characters.
Oh ok! Thanks so much for the links and the example.
I’ll further investigate my code/environment to see if I can conclude anything.
Solved! I debugged the Argon2PasswordHasher in Django and my local environment had an old version of the argon2-cffi package used
and I had upgraded my argon2-cffi package alongside Django since my last successful login.
By upgrading the argon2-cffi package, the hash-length doubled (from 16 to 32).