Closed Bug 1320659 Opened 8 years ago Closed 8 years ago

No password length restriction in addons.mozilla.org and bugzilla.mozilla.org

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: abdelfattahebrahim95, Assigned: jvehent)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

hey I am able to sign up on addons.mozilla.org and bugzilla.mozilla.org using a long 10000 and more than 10000 i think characters password which may lead to website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion. Normally all web sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack. Please verify and reply me back if you find this a issue a risk threak. Thanks, Abdelfattah Ibrahim.
Flags: sec-bounty?
Modern hashing algorithms like SHA-256 perform in the hundreds of MB per second. For fun, I tested hashing a password with 1.5 million characters, and it returned in 15 milliseconds (I suspect most of that was program initialization). Thanks for the report, but I don't think we are concerned about denial of service through long passwords.
Assignee: nobody → jvehent
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
Group: websites-security
You need to log in before you can comment on or make changes to this bug.