On Tue 29/6/2021, at 9:47 pm, roy...@gmail.com wrote:
>
>> That itself wouldn't be a problem if we could just crypt all incoming
>> password attempts before checking a username's existence - the problem is
>> that the password crypt algorithm can vary per user, so the time will vary
>> too. We
Hello Matt,
Matt Johnston wrote:
>
> Hi Roy,
>
> On Tue 29/6/2021, at 7:18 pm, roy...@gmail.com wrote:
>
>
> - Make failure delay more consistent to avoid revealing valid usernames, set
> server password
> limit of 100 characters. Problem reported by usd responsible disclosure team
>
>
> What
Hi Roy,
On Tue 29/6/2021, at 7:18 pm, roy...@gmail.com wrote:
>
>> - Make failure delay more consistent to avoid revealing valid usernames, set
>> server password
>> limit of 100 characters. Problem reported by usd responsible disclosure team
>
> What is the technical reason of limiting
Hi,
Sorry for replying such old message, but:
Matt Johnston wrote:
>
> Hi all,
>
> At long last Dropbear 2019.77 is released. Most changes are
> bug fixes, with a few small features. There are security
> fixes to avoid revealing the existence of valid usernames.
>
> This release also merges the