Okta Security Incident: Exploiting Bcrypt's Length Limitation

Popular：

Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Okta Security Incident: Exploiting Bcrypt's Length Limitation

2025-02-05

The Okta security incident stemmed from how its Bcrypt implementation handled input length. Bcrypt's 72-character limit caused truncation, allowing authentication with only partial usernames and cached keys. The article analyzes Bcrypt libraries in Go, Java, JavaScript, Python, and Rust, revealing many lack input length validation, creating security risks. The author advocates for improved API design, explicitly rejecting invalid input to prevent such vulnerabilities.

(n0rdy.foo)

Development API design

Workday Cuts 8.5% of Workforce, Embraces AI-Driven Efficiency

Conway's Law: Software Architecture Mirrors Organizational Structure