NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes. Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.
FreeIPA already applied 256 characters limit for non-random passwords set through ipa-getkeytab tool. The limit was not, however, enforced in other places.
MIT Kerberos limits the length of the password to 1024 characters in its tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not differentiate between a password larger than 1024 and a password of 1024 characters. As a result, longer passwords are silently cut off.
To prevent silent cut off for user passwords, use limit of 1000 characters.
This issue was rated as a low severity CVE by Red Hat's Security Response Team: https://bugzilla.redhat.com/CVE-2020-1722.
Metadata Update from @abbra: - Issue assigned to abbra
Metadata Update from @abbra: - Custom field changelog adjusted to Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.
master:
ipa-4-8:
ipa-4-6:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.