Critical vulnerability: Missing maximum password length validation with bcryptjs

[sinanptm]

Summary

A critical security vulnerability in impler.io's password hashing implementation allows for potential authentication bypass and performance degradation due to missing maximum password length validation when using bcryptjs.

Details

Strapi currently uses bcryptjs for password hashing, which has a known password length limit of 72 bytes. However, Strapi's implementation only enforces a minimum password length of 8 characters without imposing a maximum length restriction during validation.

The vulnerability arises from two main issues:

bcryptjs silently truncates passwords exceeding 72 bytes, leading to unexpected behavior.
Imler.io lacks validation for maximum password length, allowing users to create passwords longer than the bcryptjs limit.

This combination can result in:
Passwords longer than 72 characters being truncated without user awareness.
Potential authentication issues as users may not realize their full password is not being stored or validated accurately.
Possible predictable hash values for passwords exceeding 72 characters, increasing vulnerability to attacks.

The relevant code for password hashing and validation in Impler.io should be examined, particularly in the user registration and authentication processes.

Impact

Vulnerability Type: Authentication Bypass, Information Disclosure
Severity: High
Affected Component: Password Hashing and Validation in Impler.io's Authentication System

[chavda-bhavik]

Thanks for this deep analysis @sinanptm. I will be more than happy to take it into priority, would you like to contribute to the issue?

[sinanptm]

Thank you for the prompt response and for prioritizing this issue. I'd be happy to contribute to resolving it. I'll start working on implementing a maximum password length to mitigate the vulnerability and ensure safe password handling.

[sinanptm]

As I proceed, I wanted to confirm a few details regarding the solution approach. Setting a maximum password length of 72 characters (or slightly below, like 70) seems sensible, but I wanted to check if enforcing this might cause any issues for current users with passwords exceeding this length. For instance, should we consider a migration step, or would users be prompted to reset passwords only if they exceed the new limit?

Let me know your thoughts, and I’ll proceed accordingly.
@chavda-bhavik

[chavda-bhavik]

@sinanptm let's not worry about it. We will inform everyone about it and if they face issue they can just reset the password.

[sinanptm]

Ok, then i will start working on it

[sinanptm]

I have added validtion while signing up and reseting password.

#866

[chavda-bhavik]

@sinanptm let's keep the max password length as 24 including,

• Mention in the description about max password size
• Add validation for max password size

In addition to using constants such as MAX_PASSWORD_LENGTH which are mentioned in the constants.config.ts file in the config folder of the web.

[sinanptm]

I will update the pr Once i am done