Too long passwords can DoS some servers
Posted on 17 September 2013.
The discovery of a vulnerability in popular open source web application framework Django has recently demonstrated that using a long password is not always the best thing to do.


As explained by web developer James Bennett, Django uses the PBKDF2 algorithm to hash user passwords, making it extremely difficult for brute-force attacks to be executed successfully.

"Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher," Bennet explained in a blog post.

"This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes."

The existence of the flaw was disclosed on the public django-developers mailing list, and has left the core team scrambling to fix it as soon a possible. Fortunately, it took only a day, and they did it by limiting passwords to 4096 bytes.

The newly released Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 contain the fix and all users are advised to upgrade to one of these versions immediately.

Bennett also made sure to ask that all future potential security issues always be reported via email to security@djangoproject.com, rather than through public channels.









Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //