From 51485ee66b48a2f60bab332dd659d40f74aae51e Mon Sep 17 00:00:00 2001
From: Carla Schroder <carla@owncloud.com>
Date: Wed, 6 May 2015 17:27:24 -0700
Subject: [PATCH] hard limit on password length

---
 admin_manual/configuration_server/harden_server.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/admin_manual/configuration_server/harden_server.rst b/admin_manual/configuration_server/harden_server.rst
index 3247bbf16..b1f0bdf30 100644
--- a/admin_manual/configuration_server/harden_server.rst
+++ b/admin_manual/configuration_server/harden_server.rst
@@ -15,6 +15,11 @@ run ownCloud Server on Apache2 on a Linux environment.
    critical security-relevant options are missing. However, it is still up to 
    the server administrator to review and maintain system security.
 
+Limit on Password Length
+------------------------
+
+ownCloud uses the bcrypt algorithm and thus for security and performance reasons, e.g. Denial of Service as CPU demand increases exponentially, it only verifies the first 72 characters of passwords. This applies to all passwords that you use in ownCloud: user passwords, passwords on link shares, and passwords on external shares.
+
 Operating system
 ----------------