You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey, just wanted to let you know I've gotten reports from users of my library Nbvcxz that are getting a DOS every so often by specifically crafted passwords.
I found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:
https://github.com/twosixlabs/acsploit GoSimpleLLC/nbvcxz#60
I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is often run server-side rather than client-side.
The text was updated successfully, but these errors were encountered:
Hey, just wanted to let you know I've gotten reports from users of my library Nbvcxz that are getting a DOS every so often by specifically crafted passwords.
I found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:
https://github.com/twosixlabs/acsploit
GoSimpleLLC/nbvcxz#60
I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is often run server-side rather than client-side.
The text was updated successfully, but these errors were encountered: