I am able to create a password with 1000000 words which fully leads to MySQL or server side Denial Of Service attack. Also this issue can dump your database.
You need to decrease password length :There are two reasons for limiting the password size. For one, hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for Denial Of Service attack.
Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack. in my sql but in your website there are no limitation.
I've been unable to reproduce this one, does anyone believe this could be an issue with nopcommerce?