Long Passwords Could Have Crashed Security Website

[Guest]

Django discovered, and quickly patched, a security vulnerability that would have let hackers turn Django's strong password security against it.

Long Passwords Could Have Crashed Security Website : Read more

 

[Murissokah]

Unlimited size for user-entered data... seems like a pretty basic mess-up.

 

[anti-painkilla]

I cannot understand why someone would even need a 4000 character password for these websites let alone a 100 character. I would bet that the majority of the passwords are the minimum length allowed.

 

[palladin9479]

"Long passwords are great: As a user, the longer your passwords are (while still being memorable and usable), the more secure you are."

This is very false. Longer passwords only protect against brute force attacks but not social engineering. If anything they make the user more prone to side-band attacks as humans can't easily remember such long *random* passwords and expect to change them every 90 days. Instead they write them down or store them in a text file on their desktop. That in turn makes them vulnerable to social engineering or other non-brute force attacks that focus on revealing the password or hints at the password instead of trying all random values until you hit on a match.

 

[digiex]

Hmm, what is may Facebook password now?

 

[jtd871]

I would imagine that long passwords stored as a cryptographic hash would also be vulnerable to a birthday attack.

 

[leo2kp]

This has been an issue for web security for quite a while. Not sure why they didn't start out with a password length limit. Nub mistake.