deny too long passwords (> 4kB)

Very long Passwords (e.g. 1MB) can fully load a machine, because calculating a pbkdf2 hash of a 1MB password takes very long.

Limit password to 4096 chars.

http://www.heise.de/newsticker/meldung/Lange-Passwoerter-legen-Djangos-Webapps-lahm-1957899.html
