For more than a year, Ars has advised readers to use long, randomly generated passwords to protect their digital assets. Now comes definitive proof that too much password length can be detrimental to security.
It comes in the form of just-patched vulnerability in the Django Web development framework. By default, it uses the PBKDF2 algorithm to transform plain-text passwords into long strings called cryptographic hashes. Like scrypt and bcrypt, it's one of the most secure ways websites can store "at rest" passwords, because it passes them through multiple hashing rounds that significantly increase the time and computational resources required. In the event of a breach that spills a large password database, the additional effort can literally add centuries to the process of cracking the raw passwords.
But as Django developers have learned, this enhanced security can be a double-edged blade. In an advisory posted Monday they explained why: