View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004759 | unreal | module api | public | 2016-10-02 15:07 | 2016-12-31 10:06 |
| Reporter | Assigned To | syzop | |||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | closed | Resolution | no change required | ||
| Product Version | 4.0.6 | ||||
| Summary | 0004759: Variable bcrypt cost. | ||||
| Description | Using the bcrypt method for hashing passwords, Unreal uses a cost of 9. I usually prefer a cost of 12. Would it please be possible to add an option to Unreal to allow a variable cost? Example: /mkpasswd bcrypt TestPassword cost:12 and if no cost is specified it defaults to set::bcrypt-cost (which could be 9 by default)? | ||||
| 3rd party modules | |||||
|
|
The problem is that people are likely to misconfigure their server when they raise the bcrypt cost to values such as (your suggested) 12. Bcrypt hashing with a cost of 12 takes about a second to execute on my machine. During this time the entire IRCd is stalled, no other commands are executed. All it takes for an attacker to pretty much freeze your IRCd is execute the command once per second from a very limited set of clients. Such an attack scenario is very doable. |
|
|
That would be bad. That's assuming a majority of Unreal users have set::options::mkpasswd-for-everyone; enabled though. |
|
|
Ah, sorry for the confusion. I mean not only with MKPASSWD but when the password is actually checked: so /OPER, /VHOST, or wherever the password is actually used. |
|
|
See previous comments |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-10-02 15:07 |
|
New Issue | |
| 2016-10-19 16:47 | syzop | Note Added: 0019474 | |
| 2016-10-19 18:39 |
|
Note Added: 0019476 | |
| 2016-10-20 08:57 | syzop | Note Added: 0019477 | |
| 2016-12-31 10:06 | syzop | Assigned To | => syzop |
| 2016-12-31 10:06 | syzop | Status | new => closed |
| 2016-12-31 10:06 | syzop | Resolution | open => no change required |
| 2016-12-31 10:06 | syzop | Note Added: 0019588 | |
| 2017-01-06 15:48 | syzop | Category | module => module api |
