Long passwords are good, but too much length can be a DoS hazard

For more than a year, Ars has advised readers to use long, randomly generated passwords to protect their digital assets. Now comes definitive proof that too much password length can be detrimental to security.

It comes in the form of just-patched vulnerability in the Django Web development framework. By default, it uses the PBKDF2 algorithm to transform plain-text passwords into long strings called cryptographic hashes. Like scrypt and bcrypt, it's one of the most secure ways websites can store "at rest" passwords, because it passes them through multiple hashing rounds that significantly increase the time and computational resources required. In the event of a breach that spills a large password database, the additional effort can literally add centuries to the process of cracking the raw passwords.

But as Django developers have learned, this enhanced security can be a double-edged blade. In an advisory posted Monday they explained why:

Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large—and guaranteed-to-fail—passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.

This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.

Shortly after someone disclosed the DoS vulnerability on a public forum for Django developers, maintainers quickly scrambled to patch it. The updates, which limit passwords to 4096 bytes, are linked to Monday's advisory. The post went on to reminded users that Django developers prefer to receive security disclosures privately at security@djangoproject.com so they can fix the vulnerability before it becomes widely known.

Story updated to change the headline.