Too long passwords can DoS some servers

The discovery of a vulnerability in popular open source web application framework Django has recently demonstrated that using a long password is not always the best thing to do.

As explained by web developer James Bennett, Django uses the PBKDF2 algorithm to hash user passwords, making it extremely difficult for brute-force attacks to be executed successfully.

“Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large — and guaranteed-to-fail — passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher,” Bennet explained in a blog post.

“This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.”

The existence of the flaw was disclosed on the public django-developers mailing list, and has left the core team scrambling to fix it as soon a possible. Fortunately, it took only a day, and they did it by limiting passwords to 4096 bytes.

The newly released Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 contain the fix and all users are advised to upgrade to one of these versions immediately.

Bennett also made sure to ask that all future potential security issues always be reported via email to security@djangoproject.com, rather than through public channels.

Don't miss