I've updated the bug title to more accurately indicate this is a timing oracle in Keystone's core auth plugin, and so is still mitigated by the usual account brute-forcing defenses (e.g., enforcing strong authentication secrets, temporarily rejecting failing authentication attempts per source IP address, throttling calls to relevant API methods, et cetera).
I've updated the bug title to more accurately indicate this is a timing oracle in Keystone's core auth plugin, and so is still mitigated by the usual account brute-forcing defenses (e.g., enforcing strong authentication secrets, temporarily rejecting failing authentication attempts per source IP address, throttling calls to relevant API methods, et cetera).