zxcvbn-python icon indicating copy to clipboard operation
zxcvbn-python copied to clipboard
verified publisher icon dwolfhub

DOS exploit

Open Tostino opened this issue 3 years ago • 0 comments

Hey, just wanted to let you know I've gotten reports from users of my library: Nbvcxz that are getting a DOS every so often by specifically crafted passwords.

I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:

  • https://github.com/twosixlabs/acsploit
  • https://github.com/GoSimpleLLC/nbvcxz/issues/60

I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is also often run server-side rather than client-side.

Tostino avatar Jan 26 '23 22:01 Tostino