As a security API, passlib should fail noisily rather than possibly truncate passwords silently.
As such, the following should not even be possible with passlib:
In : h = bcrypt.encrypt('a'*72 + 'a') In : bcrypt.verify('a'*72 + 'a', h) Out: True In : bcrypt.verify('a'*72 + 'b', h) Out: True
I understand it is by design (of the bcrypt algorithm) and that the bcrypt_sha256 implementation does not suffer from this problem. However,
bcrypt.encrypt() of a string longer than 72 characters should fail as should