Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Josh Wright <jshwright-Re5JQEeQqe8AvxtiuMwx3w <at> public.gmane.org>
Subject: Set a reasonable upper bound on password length
Newsgroups: gmane.comp.python.django.devel
Date: Saturday 14th September 2013 15:12:34 UTC (over 3 years ago)
Currently there is no restriction on the length of passwords accepted by 
the login form. Assuming someone is using an appropriately expensive 
hashing function for passwords, this means an attacker can chew through a 
_lot_ of CPU pretty easily, just by sending huge junk passwords.

Setting an upper bound on passwords (something huge, like 1k) would reduce 
this threat enough that reasonable rate limiting precautions would solve 
the issue. As it is, under the default configuration of nginx, an attacker 
can post passwords just shy of 1mb, and that's a lot of data to hash 
several thousand times...

-- 
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to
[email protected]blic.gmane.org
To post to this group, send email to
[email protected]rg
Visit this group at http://groups.google.com/group/django-developers.
For more options, visit https://groups.google.com/groups/opt_out.
 
CD: 2ms