[Openstack-security] [Bug 1175906] Re: passlib: long passwords trigger long checks
OpenStack Hudson
1175906 at bugs.launchpad.net
Fri Jul 12 14:22:43 UTC 2013
** Changed in: keystone
Assignee: Dolph Mathews (dolph) => Lance Bragstad (ldbragst)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1175906
Title:
passlib: long passwords trigger long checks
Status in OpenStack Identity (Keystone):
In Progress
Bug description:
Grant Murphy originally reported:
* Denial of Service
The passlib restriction of 4096 for maximum password length is
potentially too generous for production environments. On my local machine
the sha512_crypt algorithm with input of 4096 and 40000
rounds will potentially introduce a DOS problem:
feasible length(128) password encrypt: 0.0707409381866 seconds
feasible length(128) password verify: 0.140727996826 seconds
excessive length(4096) password encrypt: 1.33277702332 seconds
excessive length(4096) password verify: 2.66491699219 seconds
I would consider tweaking these values (length or rounds) to reduce
the computational overhead here or you're probably going to have a bad time.
If this is exploitable it will need a CVE, if not we should still
harden it so it can't be monkeyed with in the future.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175906/+subscriptions
More information about the Openstack-security
mailing list