Comment 7 for bug 1175906
Revision history for this message
| Thierry Carrez (ttx) wrote Re: passlib long password DoS | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I see two ways out of this:
1/ Consider this a vulnerability and adopt the truncating approach (benefit is that you don't break anyone on upgrade, drawback is that you're potentially lowering expected complexity, as Rob points out. With 256 characters this may be a non-issue though).
2/ Consider this a performance issue and make password length configurable in future versions, but default to 4096 so that nobody is broken on upgrade.
I'm fine with either solution... I just don't see other solutions that let us solve this without breaking people on upgrade.
Thoughts ? Preferences ?