To avoid hashing of huge passwords limit them to 100 chars for now #16
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
skjnldsv
approved these changes
May 11, 2020
MorrisJobke
reviewed
May 11, 2020
| @@ -168,6 +168,12 @@ public function submitPassword(string $token, string $email, string $password, s | |||
| ], 'guest'); | |||
| } | |||
|
|
|||
| if (\mb_strlen($password) > 100) { | |||
| return new TemplateResponse('core', 'error', [ | |||
| 'errors' => array(array('error' => $this->l10n->t('Password to long'))) | |||
There was a problem hiding this comment.
Suggested change
| 'errors' => array(array('error' => $this->l10n->t('Password to long'))) | |
| 'errors' => [['error' => $this->l10n->t('Password to long')]] |
nickvergessen
approved these changes
May 11, 2020
|
@skjnldsv Mind to do a new release and push it to the appstore? |
|
Hi, can you please point me to where hashing long passwords causes issues? There's no difference in hashing 10 characters long password and 10M characters long password. PHP's bcrypt implementation (like many others ) even truncates passwords at 72 chars, so there's there's no difference beyond 72 chars. Also see this benchmark: >>> $o = ['cost' => 12]
=> [
"cost" => 12,
]
>>> timeit password_hash(str_repeat('A', 10), PASSWORD_BCRYPT, $o)
=> "$2y$12$VORcqUusFzA0uKwidZyEG.rba8.svSJiBqrKwHiRbke8zHf4LijKm"
Command took 0.291033 seconds to complete.
>>> timeit password_hash(str_repeat('A', 10_000_000), PASSWORD_BCRYPT, $o)
=> "$2y$12$qpzFTZeb72nrCo/U2oswZujt1BUCMUuT4O4JvW3GNPzOR8dy7eM.O"
Command took 0.283745 seconds to complete.
>>>
>>> $o = ['memory_cost' => 65536 * 2, 'time_cost' => 8, 'threads' => 2]
=> [
"memory_cost" => 131072,
"time_cost" => 8,
"threads" => 2,
]
>>> timeit password_hash(str_repeat('A', 10), PASSWORD_ARGON2ID, $o)
=> "$argon2id$v=19$m=131072,t=8,p=2$NjBEaUthbG1rNE9GSmRUMQ$DTDldfjp/CH9ZpqIInkdRhvCnqY+jHRTLl79kR0d+b0"
Command took 2.581087 seconds to complete.
>>> timeit password_hash(str_repeat('A', 10_000_000), PASSWORD_ARGON2ID, $o)
=> "$argon2id$v=19$m=131072,t=8,p=2$N2thZC5LbzFaaDFpZjRFaQ$7DRvhkyXNsLSjqcyyktc7thnsX9sx4zoABQu893WF8s"
Command took 2.577008 seconds to complete. |
|
Well this was an issue reported on our hackerone project and I was able to reproduce it back then: But now I see the same things you observe. |
|
The HackerOne report, recently disclosed, is how this caught my attention and how I got here initially :-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Roeland Jago Douma roeland@famdouma.nl