For long, security researchers have preached longer passwords because the odds of cracking them are less than shorter passwords. However, now it has been revealed that longer passwords come with the risk of possible DoS attacks, especially if no specific password length is maintained by the web service.
Different hashing mechanisms are used by different web-based services to ‘encrypt’ the passwords once the users provide them. The hashing makes it possible to store passwords so that they can’t be identified. However, the process of encryption may take a while if the chosen password is really long.
This may be good for security purposes in that a hacker would find it really difficult to crack such a password. At the same time, a hacker can go to a web service and submit really long passwords which are bound to fail. This wouldn’t provide him access to the account he is attempting to crack.
But the system would try to match it with the original password and in the process, will perform numerous computations. The longer the password, the greater are the number of computations. So if the hacker is able to provide a sufficiently long password repeatedly or through multiple IPs, he may be able to launch somewhat of a DoS attack and halt access to the server.
This can be avoided by ensuring that although longer passwords are encouraged, they shouldn’t go beyond a specific length. At the same time, a server should be ready to process multiple passwords of maximum length.