Home / Info Sec / Having a long password is not always the right thing to do
Did you know that long passwords can DOS some servers

Having a long password is not always the right thing to do

An expert in web development has found a loop hole in the popular open source web application framework ‘Django’ which supports that having a long password is not always the right thing to do.

James Bennett, a Django developer said that the Framework is using a PBKDF algorithm for password hashing making  ‘brute force’ attack to be impossible.

But Bennett reveals in a blog post, “this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large — and guaranteed-to-fail — passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.”

“This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes,” he further explained.

The flaw was disclosed to the public via Django mailer list forcing its developers to fix the issue ASAP. Luckily, it only took them a day.

Security experts who identify Django flaws are advised next time to report them via email to security (at) djangoproject(dot)com.

Source: softpedia.

About Clifford Trigo

Hi there! I am Clifford Trigo from the island of Bohol, come over here and lets have fun! :3 Just keep reading :D