A recent security incident at Okta has highlighted important lessons about API design and security. The incident, reported on November 1st, exposed how the popular Bcrypt hashing algorithm could be exploited under specific conditions.
The vulnerability stemmed from Bcrypt's 72-character input length limitation. When usernames exceeded 52 characters, authentication could be bypassed by providing any password. For usernames around 50 characters, attackers only needed to guess a few characters to gain unauthorized access.
Testing across multiple programming languages revealed concerning patterns in how Bcrypt libraries handle this limitation:
- Go's crypto/bcrypt library properly validates input length and rejects strings over 72 characters
- Spring Security's BCrypt implementation silently truncates longer inputs without warning
- JavaScript's bcryptjs, Python's bcrypt, and Rust's rust-bcrypt all exhibit similar truncation behavior
- Only a few implementations, like Java's at.favre library, explicitly prevent oversized inputs
The root cause traces back to OpenBSD's original Bcrypt implementation from 1997, which established the pattern of truncating inputs at 72 bytes. Many modern libraries continue this approach despite its security implications.
Key lessons for better API design include:
- Reject invalid inputs explicitly rather than silently modifying them
- Make behavior predictable and well-documented
- Prioritize security over backward compatibility when needed
- Help developers use the API correctly through input validation
- Be willing to improve upon established patterns
The incident demonstrates how API design choices can have major security ramifications. While following historical implementations may seem safe, modern security needs often require rethinking traditional approaches.
For developers building security-related APIs today, the key takeaway is to fail fast and explicitly on invalid inputs rather than attempting to silently "fix" them. This helps prevent subtle vulnerabilities that could be exploited by attackers.