From 37afcbeb92cd556ff1081c9db5a4a320efd5b7a3 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Thu, 17 Oct 2013 18:58:24 -0400 Subject: [PATCH] [1.6.x] Removed 1.6 release note text regarding password limit length. This changed was reverted in 5d74853e156105ea02a41f4731346dbe272c2412. Backport of d97bec5ee3 from master --- docs/releases/1.6.txt | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt index a0ae500c74..93ad4c76e7 100644 --- a/docs/releases/1.6.txt +++ b/docs/releases/1.6.txt @@ -810,22 +810,6 @@ as JSON requires string keys, you will likely run into problems if you are using non-string keys in ``request.session``. See the :ref:`session_serialization` documentation for more details. -4096-byte limit on passwords -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. note:: - This behavior was also added in the Django 1.5.4 and 1.4.8 security - releases. - -Historically, Django has imposed no length limit on plaintext -passwords. This enables a denial-of-service attack through submission -of bogus but extremely large passwords, tying up server resources -performing the (expensive, and increasingly expensive with the length -of the password) calculation of the corresponding hash. - -Django now imposes a 4096-byte limit on password length, and will fail -authentication with any submitted password of greater length. - Miscellaneous ~~~~~~~~~~~~~