Keystone only verifies part of the secret - the first 72 characters. Additional complexity is ignored, giving users an inflated sense of security. Default length of a secret seems to be 86 characters. While brute forcing at this scale is out of reach for many attackers, the state of the art is constantly evolving.
Keystone only verifies part of the secret - the first 72 characters. Additional complexity is ignored, giving users an inflated sense of security. Default length of a secret seems to be 86 characters. While brute forcing at this scale is out of reach for many attackers, the state of the art is constantly evolving.
https://bugzilla.redhat.com/show_bug.cgi?id=1962908 https://docs.openstack.org/keystone/latest/
The CVE affects OpenStack Keystone (https://docs.openstack.org/keystone/latest/), not the similarly named Keystone Engine (https://www.keystone-engine.org/).