I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database.
Only if you use the same salt, but you don't have the salt, so therein lies the problem 😄
"A double-edged sword
In the case of a brute-force attack, the attacker is trying to gain access to the system. But the developer found that if the attackers are just trying to mess things up, they could go to Django's login page and repeatedly submit hundreds of extremely long "junk" passwords of thousands of characters or more.
Having to check all these junk passwords against the stored cryptographic hashes puts a heavy strain on Django's system and eventually overtaxes it.
The result is essentially a denial-of-service attack, which is when attackers bombard a server with website hits or other requests that, when combined, eventually bring the server offline.
There haven't been any known attacks that used this method. Nevertheless, Django has since patched this vulnerability by setting a limit on password length: 4096 bytes, or around 4,096 of the characters found on a keyboard. The updated version is available on Django's website. So what's the takeaway? Users should keep using long passwords. Developers, however, should be aware that strong password security could become a double-edged sword."
Going through the admin options and realized that there is not an option for a maximum password length.
I have seen, previously, this feature having its purpose questioned (https://github.com/NodeBB/NodeBB/issues/261), indicating it used to be a thing.. however it does not appear to be now. Does anybody know why?
we could enable CAPTCHA after N number of failed logins, kind of what most sites do.
That is not a bad idea. My concerns lie in the creation of an account where it has you make a password.
I barely know what I am talking about, buy in theory 1 very large string could cause some performance issues on the server end. Whether that be from encrypting, storing, or pulling the password.
I have seen 14 gig notepad documents with just strings of characters for Brute forcing, so I suppose the same could be used for initiating a Denial of Service.
@lulzdev I guess most of us can do it try the theory out, even mathematical if that's needed. But its indeed a interesting topic to have.
I think this is a reasonable solution for this problem
@lulzdev we do enable CAPTCHA on registration as well.
Also, express bodyParser has a default limit of 100kb,
Yeah the issue is for login (no captcha there) which asks bcrypt to hash whatever comes in, even at 100kb limit, it could potentially be abused
@psychobunny what about showing a captcha after 2 or 3 failed logins?
Appreciate the responses.
If login is where the potential lies, then CAPTCHA would certainly take care of it.