Currently there is no restriction on the length of passwords accepted by the login form. Assuming someone is using an appropriately expensive hashing function for passwords, this means an attacker can chew through a _lot_ of CPU pretty easily, just by sending huge junk passwords.
Setting an upper bound on passwords (something huge, like 1k) would reduce this threat enough that reasonable rate limiting precautions would solve the issue. As it is, under the default configuration of nginx, an attacker can post passwords just shy of 1mb, and that's a lot of data to hash several thousand times... -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
