[Openstack-security] [Bug 1175906] Re: passlib: long passwords trigger long checks
David Stanek
dstanek at dstanek.com
Mon Sep 16 16:38:36 UTC 2013
Is there any reason this bug is marked as Triaged? I see that Dolph's
patch was merged back in may and I'm wondering if there is more to do
here.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1175906
Title:
passlib: long passwords trigger long checks
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
Grant Murphy originally reported:
* Denial of Service
The passlib restriction of 4096 for maximum password length is
potentially too generous for production environments. On my local machine
the sha512_crypt algorithm with input of 4096 and 40000
rounds will potentially introduce a DOS problem:
feasible length(128) password encrypt: 0.0707409381866 seconds
feasible length(128) password verify: 0.140727996826 seconds
excessive length(4096) password encrypt: 1.33277702332 seconds
excessive length(4096) password verify: 2.66491699219 seconds
I would consider tweaking these values (length or rounds) to reduce
the computational overhead here or you're probably going to have a bad time.
If this is exploitable it will need a CVE, if not we should still
harden it so it can't be monkeyed with in the future.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175906/+subscriptions
More information about the Openstack-security
mailing list