Long username? Okta says: no password needed!
authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.
Late last Friday, Okta released a security advisory: accounts with a username of 52 or more characters could authenticate with only the username under some conditions.
From their own description:
"The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password."
THIS IS CRAZY!
Bcrypt is a hashing algorithm. The way it is intended to be used is by concatenating a password with a random salt. Concatenating a user ID with a username with a password - this phrase alone should raise the hackles of any security professional - is definitely not a standard usage of Bcrypt.
At best, Bcrypt is a (now not-so-frequently chosen) password hashing algorithm, not a method for generating cache keys by throwing a bunch of user info into one big string. Passwords shouldn't go in cache keys. Public/guessable data like usernames shouldn't go in password hashes. This is more than a weird corner-case vulnerability; this is TERRIBLE security design.
Bcrypt has a maximum input length of 72 bytes. You can probably guess the rest of the issue from here: start with a user ID, then add a username, ...then a password, if there's room left. No room left? Guess we don't need to check if the password matches at all!
