DOS Exploit #69
Comments
|
Thanks for mentioning this! This implementation should be safe as it does only check the first 100 characters, the assumption being that if you have a password longer than that, it's probably pretty secure. But this tool seems useful, I'll grab it and run some testing as well. |
|
Thanks for checking. Do try and ensure your implementation isn't vulnerable even with the character limit. The TS port was grinding to a halt after ~20 characters and required additional algorithmic changes. |
|
After local testing, I can confirm this library is safe against acsploit. It takes approximately 263ms on a release build for the exploit. |
|
Thanks for confirming @jun-sheaf ! I'll mark this as closed then. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Hey, just wanted to let you know I've gotten reports from users of my library: Nbvcxz that are getting a DOS every so often by specifically crafted passwords.
I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:
I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is also often run server-side rather than client-side.
The text was updated successfully, but these errors were encountered: