A vulnerability in the popular open source web application framework Django shows that using a long password is not always the best thing to do.
Django uses the PBKDF2 algorithm to hash user passwords, making it extremely difficult for brute-force attacks, said web developer James Bennett.
“Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large — and guaranteed-to-fail — passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher,” Bennet said in a blog.
“This allows for denial-of-service (DoS) attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.”
The existence of the flaw ended up disclosed on the public django-developers mailing list, and has left the core team scrambling to fix it as soon a possible. Fortunately, it took only a day, and they did it by limiting passwords to 4096 bytes.
The newly released Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 contain the fix and all users should upgrade to one of these versions immediately.