No Password Length Restriction leads to Denial of Service

6 days ago
We've received an email from an `ethical` hacker, his other points regarding vulnerabilities in our setup were correct so I assume the one below is too.
I am able to create a password with 1000000 words which fully leads to MySQL or server side Denial Of Service attack. Also this issue can dump your database.

You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for Denial Of Service attack.

Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack. in my sql but in your website there are no limitation.

I've been unable to reproduce this one, does anyone believe this could be an issue with nopcommerce?
5 days ago
I think the concern is correct.
nopCommerce should include max length restriction in password!
3 days ago
Any input from other active contributors?
Happy to create an issue and create a PR for an optional max password length if we have a consensus that nopCommerce needs this.
3 days ago
It's not about passwords. The same can be said about any input in nopCommerce - first name, last name, contact us message, product reviews, etc

But I'm not sure how exactly we can use it to reproduce Denial of Service. Anyway we'll investigate it further. Here is a work item
3 days ago
a.m. wrote:
It's not about passwords. The same can be said about any input in nopCommerce ...

I would disagree.  The original post mentions that the issue is due to "hashing a large amount of data can cause significant resource consumption".  
I.e. it's the expense of hashing/encrypting that can cause performance to be affected / DOS,
2 days ago
New York wrote:
I would disagree.  The original post mentions that the issue is due to "hashing a large amount of data can cause significant resource consumption".

You're right. I've just created a new work item

I've meant the following scenario with this work item:
1. A "hacker" registers a new account with very-very long first name and last name (for example)
2. Each time a web request is made to the server they are loaded from a database. Hence extra load to a server
12 hours ago
Hi. We've added a password length limit, see this commit for details.