yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1175906] Re: passlib: long passwords trigger long checks

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 02 Oct 2013 11:27:29 -0000
Reply-to: Bug 1175906 <1175906@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1175906

Title:
  passlib: long passwords trigger long checks

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone folsom series:
  Won't Fix
Status in Keystone grizzly series:
  Won't Fix

Bug description:
  Grant Murphy originally reported:

  * Denial of Service

    The passlib restriction of 4096 for maximum password length is 
    potentially too generous for production environments. On my local machine
    the sha512_crypt algorithm with input of 4096 and 40000
    rounds will potentially introduce a DOS problem:
         feasible length(128) password encrypt:  0.0707409381866  seconds
         feasible length(128) password verify:  0.140727996826  seconds
         excessive length(4096) password encrypt:  1.33277702332  seconds
         excessive length(4096) password verify:  2.66491699219  seconds

  
    I would consider tweaking these values (length or rounds) to reduce 
    the computational overhead here or you're probably going to have a bad time.

  If this is exploitable it will need a CVE, if not we should still
  harden it so it can't be monkeyed with in the future.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175906/+subscriptions