diff --git a/Common/sources/constants.js b/Common/sources/constants.js
index c73a8cf1..606d728b 100644
--- a/Common/sources/constants.js
+++ b/Common/sources/constants.js
@@ -36,6 +36,7 @@ exports.DOC_ID_PATTERN = '0-9-.a-zA-Z_=';
 exports.DOC_ID_REGEX = new RegExp("^[" + exports.DOC_ID_PATTERN + "]*$", 'i');
 exports.DOC_ID_REPLACE_REGEX = new RegExp("[^" + exports.DOC_ID_PATTERN + "]", 'g');
 exports.DOC_ID_MAX_LENGTH = 240;
+exports.PASSWORD_MAX_LENGTH = 255;//set password limit for DoS protection with long password
 exports.EXTENTION_REGEX = /^[a-zA-Z0-9]*$/;
 exports.CHAR_DELIMITER = String.fromCharCode(5);
 exports.OUTPUT_NAME = 'output';
diff --git a/DocService/sources/DocsCoServer.js b/DocService/sources/DocsCoServer.js
index 9477cfec..7fce7146 100644
--- a/DocService/sources/DocsCoServer.js
+++ b/DocService/sources/DocsCoServer.js
@@ -2045,7 +2045,13 @@ exports.install = function(server, callbackFunction) {
       dataWithPassword = data.openCmd;
     }
     if (dataWithPassword && dataWithPassword.password) {
-      dataWithPassword.password = yield utils.encryptPassword(dataWithPassword.password);
+      if (dataWithPassword.password.length > constants.PASSWORD_MAX_LENGTH) {
+        //todo send back error
+        logger.warn('encryptPasswordParams password too long actual = %s; max = %s', dataWithPassword.password.length, constants.PASSWORD_MAX_LENGTH);
+        dataWithPassword.password = null;
+      } else {
+        dataWithPassword.password = yield utils.encryptPassword(dataWithPassword.password);
+      }
     }
   }
 
diff --git a/DocService/sources/converterservice.js b/DocService/sources/converterservice.js
index fca12774..907322f5 100644
--- a/DocService/sources/converterservice.js
+++ b/DocService/sources/converterservice.js
@@ -256,6 +256,11 @@ function convertRequest(req, res, isJson) {
         cmd.setJsonParams(JSON.stringify({'spreadsheetLayout': params.spreadsheetLayout}));
       }
       if (params.password) {
+        if (params.password.length > constants.PASSWORD_MAX_LENGTH) {
+          logger.warn('convertRequest password too long actual = %s; max = %s;docId = %s', params.password.length, constants.PASSWORD_MAX_LENGTH, docId);
+          utils.fillResponse(req, res, new commonDefines.ConvertStatus(constants.CONVERT_PARAMS), isJson);
+          return;
+        }
         let encryptedPassword = yield utils.encryptPassword(params.password);
         cmd.setPassword(encryptedPassword);
       }