A comprehensive analysis of how various programming languages and libraries handle Bcrypt's 72-character input limitation reveals widespread security vulnerabilities similar to the Okta incident. Most implementations silently truncate input exceeding the limit rather than throwing errors, potentially allowing authentication bypasses with long usernames. Only Go's standard library and a specific Java implementation properly validate input length, highlighting the importance of secure API design.
https://n0rdy.foo/posts/20250121/okta-bcrypt-lessons-for-better-apis/