New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
To avoid hashing of huge passwords limit them to 100 chars for now #16
Conversation
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@@ -168,6 +168,12 @@ public function submitPassword(string $token, string $email, string $password, s | |||
], 'guest'); | |||
} | |||
|
|||
if (\mb_strlen($password) > 100) { | |||
return new TemplateResponse('core', 'error', [ | |||
'errors' => array(array('error' => $this->l10n->t('Password to long'))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'errors' => array(array('error' => $this->l10n->t('Password to long'))) | |
'errors' => [['error' => $this->l10n->t('Password to long')]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#PHPCS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Beside the nitpick 👍
@skjnldsv Mind to do a new release and push it to the appstore? |
Hi, can you please point me to where hashing long passwords causes issues? There's no difference in hashing 10 characters long password and 10M characters long password. PHP's bcrypt implementation (like many others ) even truncates passwords at 72 chars, so there's there's no difference beyond 72 chars. Also see this benchmark: >>> $o = ['cost' => 12]
=> [
"cost" => 12,
]
>>> timeit password_hash(str_repeat('A', 10), PASSWORD_BCRYPT, $o)
=> "$2y$12$VORcqUusFzA0uKwidZyEG.rba8.svSJiBqrKwHiRbke8zHf4LijKm"
Command took 0.291033 seconds to complete.
>>> timeit password_hash(str_repeat('A', 10_000_000), PASSWORD_BCRYPT, $o)
=> "$2y$12$qpzFTZeb72nrCo/U2oswZujt1BUCMUuT4O4JvW3GNPzOR8dy7eM.O"
Command took 0.283745 seconds to complete.
>>>
>>> $o = ['memory_cost' => 65536 * 2, 'time_cost' => 8, 'threads' => 2]
=> [
"memory_cost" => 131072,
"time_cost" => 8,
"threads" => 2,
]
>>> timeit password_hash(str_repeat('A', 10), PASSWORD_ARGON2ID, $o)
=> "$argon2id$v=19$m=131072,t=8,p=2$NjBEaUthbG1rNE9GSmRUMQ$DTDldfjp/CH9ZpqIInkdRhvCnqY+jHRTLl79kR0d+b0"
Command took 2.581087 seconds to complete.
>>> timeit password_hash(str_repeat('A', 10_000_000), PASSWORD_ARGON2ID, $o)
=> "$argon2id$v=19$m=131072,t=8,p=2$N2thZC5LbzFaaDFpZjRFaQ$7DRvhkyXNsLSjqcyyktc7thnsX9sx4zoABQu893WF8s"
Command took 2.577008 seconds to complete. |
Well this was an issue reported on our hackerone project and I was able to reproduce it back then: But now I see the same things you observe. |
The HackerOne report, recently disclosed, is how this caught my attention and how I got here initially :-) |
Signed-off-by: Roeland Jago Douma roeland@famdouma.nl