This repository has been archived by the owner on Feb 9, 2020. It is now read-only.
Long password denial of service vulnerability #27
Comments
cianmce
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Issue
A user can enter a long password and take a server offline for a large amount of time
As seen below a single request with a long password of 100K characters can result in a server being frozen for ~ 8 minutes.
This means that with just a single computer an attacker can easily make a few requests to take a number of machines offline and achieve an effective DOS attack
Proposed solution
OWASP recommends using a limit of 1,000
In order to make this backwards compatible and to not affect any existing long passwords, truncating of the users input passwords could be done. In all cases, a password of 1,000 would be just as "Strong" as one of 10,000 with this gem as the length*4 is added to the score
password_strength/lib/password_strength/base.rb
Line 146 in 6b4cf33
Not affected
Rails applications using bcrypt are not affected as they have a limit of 72 enforced:
https://github.com/rails/rails/blob/040eb98c2be6bfb2c50b4ad85e7031f9aa97f15e/activemodel/lib/active_model/secure_password.rb#L7-L10
UNLESS they are manually checking password strength before attempting to persist it to the DB
Benchmarks
Benchmarks for password lengths with this gem can be seen here: cianmce/benchmark_password_gems
A Google sheet of the results can be seen here
Live Demo
Site: password-dos.herokuapp.com
Source: cianmce/profile_password_checkers
The text was updated successfully, but these errors were encountered: