diff options
Diffstat (limited to 'releasenotes/notes/max-password-length-truncation-and-warning-bd69090315ec18a7.yaml')
| -rw-r--r-- | releasenotes/notes/max-password-length-truncation-and-warning-bd69090315ec18a7.yaml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/releasenotes/notes/max-password-length-truncation-and-warning-bd69090315ec18a7.yaml b/releasenotes/notes/max-password-length-truncation-and-warning-bd69090315ec18a7.yaml new file mode 100644 index 000000000..003dc47df --- /dev/null +++ b/releasenotes/notes/max-password-length-truncation-and-warning-bd69090315ec18a7.yaml @@ -0,0 +1,9 @@ +--- +security: + - | + Passwords will now be automatically truncated if the max_password_length is + greater than the allowed length for the selected password hashing + algorithm. Currently only bcrypt has fixed allowed lengths defined which is + 54 characters. A warning will be generated in the log if a password is + truncated. This will not affect existing passwords, however only the first + 54 characters of existing bcrypt passwords will be validated. |