Maximum password length: DOS Potential

bentael

we could enable CAPTCHA after N number of failed logins, kind of what most sites do.

lulzdev

That is not a bad idea. My concerns lie in the creation of an account where it has you make a password.

I barely know what I am talking about, buy in theory 1 very large string could cause some performance issues on the server end. Whether that be from encrypting, storing, or pulling the password.

I have seen 14 gig notepad documents with just strings of characters for Brute forcing, so I suppose the same could be used for initiating a Denial of Service.

Kowlin

@lulzdev I guess most of us can do it try the theory out, even mathematical if that's needed. But its indeed a interesting topic to have.

psychobunny

Hashing long passwords may possibly slow down nbb · Issue #4041 · NodeBB/NodeBB

Enforce a maximum character limit for passwords on registration (ex. 255) When checking credentials on login, immediately deny a password string exceeding that limit See also: #261

GitHub (github.com)

I think this is a reasonable solution for this problem

bentael

This post is deleted!

bentael

@lulzdev we do enable CAPTCHA on registration as well.

bentael

Also, express bodyParser has a default limit of 100kb,
https://github.com/expressjs/body-parser#limit

psychobunny

Yeah the issue is for login (no captcha there) which asks bcrypt to hash whatever comes in, even at 100kb limit, it could potentially be abused

bentael

@psychobunny what about showing a captcha after 2 or 3 failed logins?

lulzdev

Appreciate the responses.
If login is where the potential lies, then CAPTCHA would certainly take care of it.

psychobunny

@bentael said:

@psychobunny what about showing a captcha after 2 or 3 failed logins?

Yup that works