It’s good practice to allow your users to have long passwords. These passwords can be stored as a hash and because the hashed version is a predictable length, the password can be stored in a database without worrying about it being too long for the column’s length limit.
Allowing long passwords turns out to be a double-edged sword – and one I’d never considered. I was reading about a denial-of-service attack that was used against a website (built with Django in this case), where an attacker had used the plain text login password as an attack vector to bring the site down. What the attacker was doing, was posting really long passwords knowing that the encryption of the password was computationally expensive. By sending multiple login requests in a short period of time with long passwords they were able to max out the server resources preventing anyone from being able to access the site.
Django was using PBKDF2 to hash the password. PBKDF2 is designed to be computationally expensive so that password cracking attempts take longer. Bycrypt and other hash functions are also designed to work this way. Even with a simple MD5 hash, which is fast, it will get progressively slower the longer the given string it is hashing is.
Fortunately the solution is simple (and has been fixed in Django for a long time), check the length of the password submitted to the server. If the length of it is not something sensible then reject it before performing any computationally expensive operations on it. This of course is not just limited to passwords, it can apply to any data that you encrypt.
The post Why you should limit password length appeared first on ColdFusion.
