[Openstack-security] [Bug 1175906] Re: passlib: long passwords trigger long checks
Lance Bragstad
ldbragst at us.ibm.com
Mon Sep 16 16:49:58 UTC 2013
Looks like Dolph's patch from comment #28 was resubmitted by Morgan
Fainberg and was merged:
https://review.openstack.org/#/c/40929/1
The review wasn't posted to this bug report.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1175906
Title:
passlib: long passwords trigger long checks
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
Grant Murphy originally reported:
* Denial of Service
The passlib restriction of 4096 for maximum password length is
potentially too generous for production environments. On my local machine
the sha512_crypt algorithm with input of 4096 and 40000
rounds will potentially introduce a DOS problem:
feasible length(128) password encrypt: 0.0707409381866 seconds
feasible length(128) password verify: 0.140727996826 seconds
excessive length(4096) password encrypt: 1.33277702332 seconds
excessive length(4096) password verify: 2.66491699219 seconds
I would consider tweaking these values (length or rounds) to reduce
the computational overhead here or you're probably going to have a bad time.
If this is exploitable it will need a CVE, if not we should still
harden it so it can't be monkeyed with in the future.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175906/+subscriptions
More information about the Openstack-security
mailing list