Application allows excessively long password value in vriteio/vrite
Oct 2nd 2023
Vrite v0.2.0 allows excessively long passwords to be set for user accounts which introduce several issues and challenges, primarily related to performance, storage, and compatibility.
Proof of Concept
1. Make an user profile in the app.
2. Go to settings > security > Change password.
3. In place of new password provide a very long string as input & application will accept the same without any warnings or errors.
1. Attaching sample data for reference.
2. Sample password for testing : https://drive.google.com/file/d/1BD2zySREDDhEUnwTn1w8r7Vuf6eSqPxa/view?usp=sharing
3. Sample request : https://drive.google.com/file/d/1V94FB-AvWgfslrEKpUbjCRyZeiyt4jkH/view?usp=sharing
4. Sample response : https://drive.google.com/file/d/1P7-4QAW--bXK5kqwG7gVpQkiBNKqFzFe/view?usp=sharing
Define maximum password length limits that balance security and usability.
Attackers could attempt to flood your authentication system with requests that include very long password hashes, leading to resource exhaustion and potentially causing a denial of service.Longer password hashes take more time to compute during the hashing process & this can slow down user authentication and registration processes, especially if you have a large number of users or limited server resources.