Josh Wright | 14 Sep 17:12 2013

Set a reasonable upper bound on password length

Currently there is no restriction on the length of passwords accepted by the login form. Assuming someone is using an appropriately expensive hashing function for passwords, this means an attacker can chew through a _lot_ of CPU pretty easily, just by sending huge junk passwords.

Setting an upper bound on passwords (something huge, like 1k) would reduce this threat enough that reasonable rate limiting precautions would solve the issue. As it is, under the default configuration of nginx, an attacker can post passwords just shy of 1mb, and that's a lot of data to hash several thousand times...

You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/
To post to this group, send email to django-developers-/JYPxA39Uh5TLH3MbocFF+G/
Visit this group at
For more options, visit