diff --git a/src/wp-includes/class-phpass.php b/src/wp-includes/class-phpass.php
index 1970ae9da4..f2dadae3ff 100644
--- a/src/wp-includes/class-phpass.php
+++ b/src/wp-includes/class-phpass.php
@@ -214,6 +214,10 @@ class PasswordHash {
 
 	function HashPassword($password)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return '*';
+		}
+
 		$random = '';
 
 		if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
@@ -249,6 +253,10 @@ class PasswordHash {
 
 	function CheckPassword($password, $stored_hash)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return false;
+		}
+
 		$hash = $this->crypt_private($password, $stored_hash);
 		if ($hash[0] == '*')
 			$hash = crypt($password, $stored_hash);
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index 57faac9db7..be937e6d72 100644
--- a/tests/phpunit/tests/auth.php
+++ b/tests/phpunit/tests/auth.php
@@ -2,6 +2,7 @@
 
 /**
  * @group pluggable
+ * @group auth
  */
 class Tests_Auth extends WP_UnitTestCase {
 	var $user_id;
@@ -99,4 +100,49 @@ class Tests_Auth extends WP_UnitTestCase {
 		$this->assertFalse( wp_verify_nonce( '' ) );
 		$this->assertFalse( wp_verify_nonce( null ) );
 	}
+
+	function test_password_length_limit() {
+		$passwords = array(
+			str_repeat( 'a', 4095 ), // short
+			str_repeat( 'a', 4096 ), // limit
+			str_repeat( 'a', 4097 ), // long
+		);
+
+		$user_id = $this->factory->user->create( array( 'user_login' => 'password-length-test' ) );
+
+		wp_set_password( $passwords[1], $user_id );
+		$user = get_user_by( 'id', $user_id );
+		// phpass hashed password
+		$this->assertStringStartsWith( '$P$', $user->data->user_pass );
+
+		$user = wp_authenticate( 'password-length-test', $passwords[0] );
+		// Wrong Password
+		$this->assertInstanceOf( 'WP_Error', $user );
+
+		$user = wp_authenticate( 'password-length-test', $passwords[1] );
+		$this->assertInstanceOf( 'WP_User', $user );
+		$this->assertEquals( $user_id, $user->ID );
+
+		$user = wp_authenticate( 'password-length-test', $passwords[2] );
+		// Wrong Password
+		$this->assertInstanceOf( 'WP_Error', $user );
+
+
+		wp_set_password( $passwords[2], $user_id );
+		$user = get_user_by( 'id', $user_id );
+		// Password broken by setting it to be too long.
+		$this->assertEquals( '*', $user->data->user_pass );
+
+		$user = wp_authenticate( 'password-length-test', $passwords[0] );
+		// Wrong Password
+		$this->assertInstanceOf( 'WP_Error', $user );
+
+		$user = wp_authenticate( 'password-length-test', $passwords[1] );
+		// Wrong Password
+		$this->assertInstanceOf( 'WP_Error', $user );
+
+		$user = wp_authenticate( 'password-length-test', $passwords[2] );
+		// Password broken by setting it to be too long.
+		$this->assertInstanceOf( 'WP_Error', $user );
+	}
 }