We are using the phpass hashing scheme which uses 2^11 rounds of md5 to compute the final password hash. While 2^11 = 2048 is a constant number, this means that a very long password of 1 MiB of data will result in 2 GiB being processed by md5(). This is unnecessary and can be easily prevented by rejecting very long passwords, say those that are longer than 4 KiB.