Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security IT

Okta Fixes Login Bypass Flaw Tied To Lengthy Usernames 10

Posted by msmash from the security-woes dept.
Identity management firm Okta said Friday it has patched a critical authentication bypass vulnerability that affected customers using usernames longer than 52 characters in its AD/LDAP delegated authentication service.

The flaw, introduced on July 23 and fixed October 30, allowed attackers to authenticate using only a username if they had access to a previously cached key. The bug stemmed from Okta's use of the Bcrypt algorithm to generate cache keys from combined user credentials. The company switched to PBKDF2 to resolve the issue and urged affected customers to audit system logs.

Okta Fixes Login Bypass Flaw Tied To Lengthy Usernames More | Reply

Okta Fixes Login Bypass Flaw Tied To Lengthy Usernames

Comments Filter:

  • This is a 2005 era bug.

    • Re: (Score:3, Insightful)

      by krazee ( 10397245 )

      This is a 2005 era bug.

      Seriously! How did the idea of hashing username + password with a hash function that truncates the input get pass any sort of security review, not alone testing?

      • There's a large company who switched from another method to Okta for its main, heavily used, web site and then 3 years later switched from Okta to another method due to the problems.

        Nothing was said publicly at the issues and costs, I guess for the same reason companies don't come out and say our 10 year SAP implementation failed at the cost of 45 million dollars.

  • Why wasn't this picked-up in testing? (Score:3)

    by Mirnotoriety ( 10462951 ) on Friday November 01, 2024 @11:31PM (#64913995)
    Why wasn't this picked-up in testing? Is it because their was no testing. Release and wait for the end user to find the bugs and fix in the next version.

  • ForThoseWonderingHowLongA52CharUserNameIsHereYouGo69

    • Either limit usernames in both front end and back end, or accept that some users will enter more than you guess they should.

      Your app should be able to handle ANY allowed inputs.

      There is no exception to this rule, other than pure unadulterated incompetence.

      • The fact that bcrypt, which is generally held in high regards, has this issue is not a good one. The limit is 72 characters, so the quick and dirty workaround would be to hash the username+password using sha256 or even better, SHA-512, and use something other than hex to allow more than four bits per character. From there, use the bcrypt algorithm as usual.

        However, going to pbkdf2, argon, or yescrypt just seems like the best solution overall... algorithms that don't have this issue. However using a hash

  • So my username that is a full copy/paste of "War and Peace" is going to cause problems?

    • So my username that is a full copy/paste of "War and Peace" is going to cause problems?

      No, that's only 13 characters; 15 if you include the quotes.

    • yes, you get a copyright strike every time you login!

Slashdot Top Deals

"Joy is wealth and love is the legal tender of the soul." -- Robert G. Ingersoll

Close