reminder that the bcrypt hash function ignores input above a certain length! so if you do bcrypt(username || password) for some reason, a sufficiently long username will make it accept any password. to fix this you can sha256 the input first.

•

Kinnaird McQuade 💻☁️💥

@kmcquade3 · Twitter · 2024-11-01 22:21 UTC

Okta allowing login bypass for any usernames with 52+ characters is insane Official Security Advisory: https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/