Limit Devise password length to 72 bytes

takeaway 2 connections

If you stick with bcrypt in Devise, set the password length limit to 72 bytes (bytes, not characters) so that users don't create longer passwords whose extra characters are silently ignored — especially important if a pepper is appended.

type

recommendation

takeaway Limit Devise password length to 72 bytes

about

Devise tool

Concrete configuration change for Devise.

takeaway Limit Devise password length to 72 bytes

from_talk

Devise pitfalls and way to tighten security talk

Alternative mitigation for teams staying on bcrypt.

Provenance

Created in: Devise pitfalls and way to tighten security — Rafał Rothe... 2026-04-17 21:52
Read by: 1 extraction