Comment 18 for bug 1175906
Revision history for this message
| Thierry Carrez (ttx) wrote Re: passlib long password DoS | #18 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
OK... My proposal is to consider this a potential performance issue (rather than a vulnerability) and have the Keystone devs openly fix it in Havana, by implementing a password max length parameter.
Depending on the implementation, it could follow Jeremy's suggestion (comment 16, store maxlength per-password for eventually consistent transition), or a default of 4096 with documentation on how to reduce it. The first option is a bit convoluted, but the only way to mitigate the issue with new users without breaking old ones.
Does that work for everyone ?