Okta Bcrypt incident lessons for designing better APIs

The Okta security incident involved a vulnerability where usernames over 52 characters allowed logins with any password due to limitations in the Bcrypt hashing algorithm. Long usernames aren’t common, but can pose a risk for some cases, like email addresses. Various programming languages handle input validation differently with libraries like Go’s bcrypt enforcing a 72 character limit, Spring Security lacks input validation, and JavaScript’s bcryptjs also lacks length validation. Rust’s bcrypt library truncates input to 72 characters following the OpenBSD implementation, highlighting the need for consistent input length validation among libraries. The controversial issue raised is the lack of consistent input validation leading to potential security vulnerabilities.

https://n0rdy.foo/posts/20250121/okta-bcrypt-lessons-for-better-apis/