Hey, just wanted to let you know I've gotten reports from users of my library Nbvcxz that are getting a DOS every so often by specifically crafted passwords.
I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:
I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release.
I know this is usually used client side, and you recommend limiting the input prior to sending in in the readme...however Node.js is a thing, and not everyone listens to readme docs. So we now have vulnerable programs that depend on these libraries in the wild.
I wanted to get a warning out, and see if there is any appetite for implementing a fix like a configured max length. Up for any suggestions that get this fixed. Hopefully we can get some attention from someone at Dropbox who has access to this repo.
Hey, just wanted to let you know I've gotten reports from users of my library Nbvcxz that are getting a DOS every so often by specifically crafted passwords.
I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:
I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release.
I know this is usually used client side, and you recommend limiting the input prior to sending in in the readme...however Node.js is a thing, and not everyone listens to readme docs. So we now have vulnerable programs that depend on these libraries in the wild.
I wanted to get a warning out, and see if there is any appetite for implementing a fix like a configured max length. Up for any suggestions that get this fixed. Hopefully we can get some attention from someone at Dropbox who has access to this repo.