Critical vulnerability: Missing maximum password length validation with bcryptjs #864
Comments
|
Thanks for this deep analysis @sinanptm. I will be more than happy to take it into priority, would you like to contribute to the issue? |
|
Thank you for the prompt response and for prioritizing this issue. I'd be happy to contribute to resolving it. I'll start working on implementing a maximum password length to mitigate the vulnerability and ensure safe password handling. |
|
As I proceed, I wanted to confirm a few details regarding the solution approach. Setting a maximum password length of 72 characters (or slightly below, like 70) seems sensible, but I wanted to check if enforcing this might cause any issues for current users with passwords exceeding this length. For instance, should we consider a migration step, or would users be prompted to reset passwords only if they exceed the new limit? Let me know your thoughts, and I’ll proceed accordingly. |
|
@sinanptm let's not worry about it. We will inform everyone about it and if they face issue they can just reset the password. |
|
Ok, then i will start working on it |
sinanptm
changed the title
|
I have added validtion while signing up and reseting password. |
|
In addition to using constants such as MAX_PASSWORD_LENGTH which are mentioned in the |
|
I will update the pr Once i am done |
Summary
A critical security vulnerability in impler.io's password hashing implementation allows for potential authentication bypass and performance degradation due to missing maximum password length validation when using bcryptjs.
Details
Strapi currently uses bcryptjs for password hashing, which has a known password length limit of 72 bytes. However, Strapi's implementation only enforces a minimum password length of 8 characters without imposing a maximum length restriction during validation.
The vulnerability arises from two main issues:
bcryptjs silently truncates passwords exceeding 72 bytes, leading to unexpected behavior.
Imler.io lacks validation for maximum password length, allowing users to create passwords longer than the bcryptjs limit.
This combination can result in:
Passwords longer than 72 characters being truncated without user awareness.
Potential authentication issues as users may not realize their full password is not being stored or validated accurately.
Possible predictable hash values for passwords exceeding 72 characters, increasing vulnerability to attacks.
The relevant code for password hashing and validation in Impler.io should be examined, particularly in the user registration and authentication processes.
Impact
Vulnerability Type: Authentication Bypass, Information Disclosure
Severity: High
Affected Component: Password Hashing and Validation in Impler.io's Authentication System
The text was updated successfully, but these errors were encountered: