#8268 Prevent use of too long passwords
Closed: fixed 2 years ago by abbra. Opened 2 years ago by abbra.

NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

Users should be encouraged to make their passwords as lengthy as they
want, within reason. Since the size of a hashed password is independent
of its length, there is no reason not to permit the use of lengthy
passwords (or pass phrases) if the user wishes. Extremely long passwords
(perhaps megabytes in length) could conceivably require excessive
processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords set through ipa-getkeytab tool. The limit was not, however, enforced in other places.

MIT Kerberos limits the length of the password to 1024 characters in its tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not differentiate between a password larger than 1024 and a password of 1024 characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000 characters.

This issue was rated as a low severity CVE by Red Hat's Security Response Team: https://bugzilla.redhat.com/CVE-2020-1722.


Metadata Update from @abbra:
- Issue assigned to abbra

2 years ago

Metadata Update from @abbra:
- Custom field changelog adjusted to Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.

2 years ago

master:

  • dbf5df4 CVE-2020-1722: prevent use of too long passwords

ipa-4-8:

  • 089a393 CVE-2020-1722: prevent use of too long passwords

ipa-4-6:

  • a05ebcf Add interactive prompt for the LDAP bind password to ipa-getkeytab
  • 972e720 CVE-2020-1722: prevent use of too long passwords

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata