Long password denial of service
Description
This vulnerability allows an attacker to cause a denial of service by submitting an extremely long password (e.g., 1,000,000 characters) to the authentication system. The issue typically stems from inefficient password hashing implementations that do not limit input length before processing. When the server attempts to hash the oversized password, it consumes excessive CPU and memory resources, potentially rendering the application unresponsive or unavailable. This vulnerability is confirmed by measuring response time variations when submitting passwords of different lengths.
Remediation
Implement input length validation to reject passwords exceeding a reasonable maximum length before they reach the hashing function. Follow these steps:
1. Enforce maximum password length: Limit password input to 72-128 characters at the application layer before hashing. Most password hashing algorithms have practical limits (e.g., bcrypt effectively uses only the first 72 bytes).
2. Add server-side validation: Reject requests with excessive password lengths early in the request processing pipeline.
Example implementation:
// Example in pseudo-code
const MAX_PASSWORD_LENGTH = 128;
function validatePassword(password) {
if (password.length > MAX_PASSWORD_LENGTH) {
throw new ValidationError('Password exceeds maximum length');
}
// Proceed with hashing only after validation
return hashPassword(password);
}3. Use modern hashing algorithms: Ensure you are using recommended algorithms like bcrypt, scrypt, or Argon2 with appropriate work factors.
4. Implement rate limiting: Add rate limiting on authentication endpoints to prevent repeated exploitation attempts.