1 files changed, 12 insertions, 4 deletions

diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst
index 0c58f96b4..fcfe4c24b 100644
--- a/user_guide_src/source/general/security.rst
+++ b/user_guide_src/source/general/security.rst
@@ -133,17 +133,25 @@ with that. Please read below.
    provides them for you as long as you're running at least PHP version
    5.3.7 (and if you don't meet that requirement - please, upgrade).
 
+   If you're one of the really unlucky people who can't even upgrade to a
+   more recent PHP version, use `hash_pbkdf() <http://php.net/hash_pbkdf2>`,
+   which we also provide in our compatibility layer.
+
 -  DO NOT ever display or send a password in plain-text format!
 
    Even to the password's owner, if you need a "Forgotten password"
    feature, just randomly generate a new, one-time (this is also important)
    password and send that instead.
 
--  DO NOT put artificial limits on your users' passwords.
+-  DO NOT put unnecessary limits on your users' passwords.
+
+   If you're using a hashing algorithm other than BCrypt (which has a limit
+   of 72 characters), you should set a relatively high limit on password
+   lengths in order to mitigate DoS attacks - say, 1024 characters.
 
-   There's no point in forcing a rule that a password can only be up to
-   a number of characters, or that it can't contain a certain set of
-   special characters.
+   Other than that however, there's no point in forcing a rule that a
+   password can only be up to a number of characters, or that it can't
+   contain a certain set of special characters.
 
    Not only does this **reduce** security instead of improving it, but
    there's literally no reason to do it. No technical limitations and