Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
Long passwords are great: As a user, the longer your passwords are (while still being memorable and usable), the more secure you are.
But from a developer's perspective, the complications of managing long passwords could be a security vulnerability.
In a nutshell, the complex password-storage system used by a commercial Web framework called Django is so secure that hackers could use its own security to bring the website down.
MORE: 7 Computer-Security Fixes to Make Right Now
Django's systems are used by Instagram, Pinterest and any website that uses the service Disqus to manage its comments sections.
To encourage users to create secure, long passwords, Django didn't put a limit on password length.
Django also stores its users' passwords in an encrypted form, using a complicated algorithm called PBKDF2 to transform the passwords into what are called "cryptographic hashes."
That means any hackers who managed to break into Django's systems wouldn't be able to see the users' actual passwords; all they'd see are arbitrary-looking strings of characters that cannot be easily converted back into the original password characters.
Every time someone tries to log in to a Django website, Django's system goes through a complicated process of checking that password against all the cryptographic hashes stored on its servers.
This method has the advantage of preventing brute-force attacks, which is when hackers try to log in to a platform by writing a program that methodically tries every possible combination of characters in hopes of eventually finding the right password.
However, a Web developer recently discovered that this complicated security could actually be used against Django.
A double-edged sword
In the case of a brute-force attack, the attacker is trying to gain access to the system. But the developer found that if the attackers are just trying to mess things up, they could go to Django's login page and repeatedly submit hundreds of extremely long "junk" passwords of thousands of characters or more.
Having to check all these junk passwords against the stored cryptographic hashes puts a heavy strain on Django's system and eventually overtaxes it.
The result is essentially a denial-of-service attack, which is when attackers bombard a server with website hits or other requests that, when combined, eventually bring the server offline.
There haven't been any known attacks that used this method. Nevertheless, Django has since patched this vulnerability by setting a limit on password length: 4096 bytes, or around 4,096 of the characters found on a keyboard. The updated version is available on Django's website. So what's the takeaway? Users should keep using long passwords. Developers, however, should be aware that strong password security could become a double-edged sword.
Email jscharr@techmedianetwork.com or follow her @JillScharr. Follow us @TomsGuide, on Facebook and on Google+.
