Too long passwords can DoS some servers
Posted on 17 September 2013.
The discovery of a vulnerability in popular open source web application framework Django has recently demonstrated that using a long password is not always the best thing to do.


As explained by web developer James Bennett, Django uses the PBKDF2 algorithm to hash user passwords, making it extremely difficult for brute-force attacks to be executed successfully.

"Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher," Bennet explained in a blog post.

"This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes."

The existence of the flaw was disclosed on the public django-developers mailing list, and has left the core team scrambling to fix it as soon a possible. Fortunately, it took only a day, and they did it by limiting passwords to 4096 bytes.

The newly released Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 contain the fix and all users are advised to upgrade to one of these versions immediately.

Bennett also made sure to ask that all future potential security issues always be reported via email to security@djangoproject.com, rather than through public channels.









Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //