Long password denial of service

Description

By sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

This vulnerability was detected by sending passwords with various lengths and comparing the measured response times. Consult details for more information.

Remediation

The password hashing implementation must be fixed to limit the maximum length of accepted passwords.

References