Keystone only verifies part of the secret - the first 72 characters. Additional complexity is ignored, giving users an inflated sense of security. Default length of a secret seems to be 86 characters. While brute forcing at this scale is out of reach for many attackers, state of the art is constantly evolving and we need to support OpenStack for many years to come.
Upstream report is https://bugs.launchpad.net/keystone/+bug/1901891