Comment 4 for bug 1175906
Revision history for this message
| Robert Clark (robert-clark) wrote Re: passlib long password DoS | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Thanks TTX.
My initial feeling is that truncating input is not the way to go. Indeed I seem to remember Microsoft getting lambasted for this many years ago (although the trucation was somewhat more extreme). My objection is on the basis that a client who believes they have a certain amount of complexity in their password should have confidence that this complexity is maintained in Keystone.
Making this option configurable and providing appropriate guidance seems prudent. Is there scope for throttling authentication attempts from tenants as an additional compensating control against this potential DoS ?