Merge pull request #52 from pyca/alex-patch-2

Document that bcrypt doesn't handle long passwords
author: Donald Stufft <donald@stufft.io> 2015-10-20 09:42:43 -0400
committer: Donald Stufft <donald@stufft.io> 2015-10-20 09:42:43 -0400
commit: 211b9a1862c4074024a9895c1764060e6903fa71 (patch)
tree: cf8a3ff02d4f1334c2ff9fe033963e3dbcdc25a2
parent: 7c77787a47a72ca323899cae11e6944a2d501864 (diff)
parent: 85490507426e1bcef43a3d998faae00f5ccf687b (diff)
download: py-bcrypt-git-211b9a1862c4074024a9895c1764060e6903fa71.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/README.rst b/README.rst
index bd24e1b..2479dbb 100644
--- a/README.rst
+++ b/README.rst
@@ -84,6 +84,21 @@ Another one of bcrypt's features is an adjustable prefix to let you define what
 libraries you'll remain compatible with. To adjust this, pass either ``2a`` or
 ``2b`` (the default) to ``bcrypt.gensalt(prefix=b"2b")`` as a bytes object.
 
+Maxmimum Password Length
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+The bcrypt algorithm only handles passwords up to 72 characters, any characters
+beyond that are ignored. To work around this, a common approach is to hash a
+password with a cryptographic hash, such as ``sha512`` before hasing it with
+``bcrypt``:
+
+.. code:: pycon
+
+    >>> password = b"an incredibly long password" * 10
+    >>> hashed = bcrypt.hashpw(
+    ...     hashlib.sha512(password).digest(),
+    ...     bcrypt.gensalt()
+    ... )
 
 Compatibility
 -------------
author	Donald Stufft <donald@stufft.io>	2015-10-20 09:42:43 -0400
committer	Donald Stufft <donald@stufft.io>	2015-10-20 09:42:43 -0400
commit	211b9a1862c4074024a9895c1764060e6903fa71 (patch)
tree	cf8a3ff02d4f1334c2ff9fe033963e3dbcdc25a2
parent	7c77787a47a72ca323899cae11e6944a2d501864 (diff)
parent	85490507426e1bcef43a3d998faae00f5ccf687b (diff)
download	py-bcrypt-git-211b9a1862c4074024a9895c1764060e6903fa71.tar.gz