Eobot: No password length restriction

2016-09-10T11:26:46
ID H1:167351
Type hackerone
Reporter mr_sharma_
Modified 2016-11-10T07:47:43

Description

Hello Eobot, I am able to sign up on your web application using a long 100000 characters password which may lead to website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack. Please verify and reply me back if you find this a issue a risk threak. Thanks, Gopesh Sharma