Long username? Okta says: no password needed!

Okta has recently released a security advisory stating that accounts with usernames longer than 52 characters could authenticate without requiring a password under certain conditions. This issue is due to the use of Bcrypt, a password hashing algorithm, in generating cache keys by combining a user ID, username, and password into one string. This unconventional usage of Bcrypt raises concerns about Okta's security design priorities. The vulnerability was introduced as part of a standard Okta release in July 2024, despite the company's commitment to becoming one of the most secure companies in the world. This highlights the importance of open source and transparent solutions like authentik for identity providers.