Long password denial of service vulnerability

[cianmce]

Issue

A user can enter a long password and take a server offline for a large amount of time
As seen below a single request with a long password of 100K characters can result in a server being frozen for ~ 8 minutes.
This means that with just a single computer an attacker can easily make a few requests to take a number of machines offline and achieve an effective DOS attack

Proposed solution

OWASP recommends using a limit of 1,000

A limit of 1000 characters is sufficient to let the user choose a very big password without impacting the system.
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Input_password_size

In order to make this backwards compatible and to not affect any existing long passwords, truncating of the users input passwords could be done. In all cases, a password of 1,000 would be just as "Strong" as one of 10,000 with this gem as the length*4 is added to the score

password_strength/lib/password_strength/base.rb

Line 146 in 6b4cf33

score = password.size * 4

Not affected

Rails applications using bcrypt are not affected as they have a limit of 72 enforced:
https://github.com/rails/rails/blob/040eb98c2be6bfb2c50b4ad85e7031f9aa97f15e/activemodel/lib/active_model/secure_password.rb#L7-L10
UNLESS they are manually checking password strength before attempting to persist it to the DB

Benchmarks

Benchmarks for password lengths with this gem can be seen here: cianmce/benchmark_password_gems

A Google sheet of the results can be seen here

Live Demo

Site: password-dos.herokuapp.com

Source: cianmce/profile_password_checkers