Too long passwords can DoS some servers
Posted on 17 September 2013.
The discovery of a vulnerability in popular open source web application framework Django has recently demonstrated that using a long password is not always the best thing to do.


As explained by web developer James Bennett, Django uses the PBKDF2 algorithm to hash user passwords, making it extremely difficult for brute-force attacks to be executed successfully.

"Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher," Bennet explained in a blog post.

"This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes."

The existence of the flaw was disclosed on the public django-developers mailing list, and has left the core team scrambling to fix it as soon a possible. Fortunately, it took only a day, and they did it by limiting passwords to 4096 bytes.

The newly released Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 contain the fix and all users are advised to upgrade to one of these versions immediately.

Bennett also made sure to ask that all future potential security issues always be reported via email to security@djangoproject.com, rather than through public channels.









Spotlight

Cloned, booby-trapped Dark Web sites steal bitcoins, login credentials

Apart from being a way for dissidents and journalists to do their business without being spotted and identified by "the powers that be", the Dark Web is also a place where criminals sell and buy illegal wares and services and, apparently, where they also get robbed by scammers.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Jul 3rd
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //