etcd has no minimum password length

Main / etcd has no minimum password length

Discription

### Vulnerability type
Access Control

### Workarounds
The etcdctl and etcd API do not enforce a specific password length during user creation or user password update operations. [It is the responsibility of the administrator to enforce these requirements](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/authentication.md#notes-on-password-strength).

### Detail
etcd does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users passwords with little computational effort.

### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)

### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)Read More

References

Back to Main

Subscribe for the latest news: