A hole in crypt_blowfish
Posted Jun 22, 2011 20:27 UTC (Wed) by dark
In reply to: A hole in crypt_blowfish
Parent article: A hole in crypt_blowfish
There's a more drastic solution: don't allow characters with the high bit set in passwords at all. Deny login to any attempts to log in with such passwords.
The users will have to get their passwords changed, but this will be limited to users who were affected by the bug, and there's no window of opportunity for attackers.
One would hope this approach is coupled with a plan to phase out the restriction, though :)
to post comments)