OpenStack Identity (keystone)

Avoid error on large passwords

Bug #959288 reported by Dan Prince
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Dan Prince
OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

We should put an upper limit on the password length.

Dan Prince (dan-prince)
Changed in keystone:
assignee: nobody → Dan Prince (dan-prince)
status: New → In Progress
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5507

Revision history for this message
Robert Clark (robert-clark) wrote :

I don't understand where the requirement to do this has come from.

The proposed fix doesn't limit password length, it truncates it. In my opinion this is bad practice, in any password scheme the strength of the created password should be understood by both parties. Truncating a password before storing/checking leads to a miss-match where a supplied password has more entropy than that which is used for authentication.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/5507
Committed: http://github.com/openstack/keystone/commit/239e4f64c2134338b32ffd6d42c0b6ff70cd040c
Submitter: Jenkins
Branch: master

commit 239e4f64c2134338b32ffd6d42c0b6ff70cd040c
Author: Dan Prince <email address hidden>
Date: Fri Mar 16 21:46:31 2012 -0400

    Add check for MAX_PASSWORD_LENGTH to utils.

    Updates to keystone password hashing and checking functions so
    that a max password length is enforced.

    Fixes LP Bug #959288.

    Change-Id: Id3048f3c916e92c59ac5b063d09c3d612d51c97c

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → essex-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.