[Openstack-security] [Bug 1175906] Re: passlib: long passwords trigger long checks

Simo Sorce ssorce at redhat.com
Fri May 17 08:55:38 UTC 2013 

Reducing the rounds will simply increase the rate of brute force attacks.
sha512_crypt is designed to be slow, it's a feature.

If you think there is a problem if too many hashing operations are requested you should rather rate limit the number of hashing requests that can be submitted to the server.

Simo.

----- Original Message -----
> Opening so that we can apply the strengthening in a public patch.
> 
> ** Summary changed:
> 
> - passlib long password DoS
> + passlib: long passwords trigger long checks
> 
> ** Information type changed from Private Security to Public
> 
> --
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1175906
> 
> Title:
>   passlib: long passwords trigger long checks
> 
> Status in OpenStack Identity (Keystone):
>   New
> 
> Bug description:
>   Grant Murphy originally reported:
> 
>   * Denial of Service
> 
>     The passlib restriction of 4096 for maximum password length is
>     potentially too generous for production environments. On my local machine
>     the sha512_crypt algorithm with input of 4096 and 40000
>     rounds will potentially introduce a DOS problem:
>          feasible length(128) password encrypt:  0.0707409381866  seconds
>          feasible length(128) password verify:  0.140727996826  seconds
>          excessive length(4096) password encrypt:  1.33277702332  seconds
>          excessive length(4096) password verify:  2.66491699219  seconds
> 
>   
>     I would consider tweaking these values (length or rounds) to reduce
>     the computational overhead here or you're probably going to have a bad
>     time.
> 
>   If this is exploitable it will need a CVE, if not we should still
>   harden it so it can't be monkeyed with in the future.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1175906/+subscriptions
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 

-- 
Simo Sorce * Red Hat, Inc. * New York

More information about the Openstack-security mailing list