By sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most modern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.