[1.5.x] Ensure that passwords are never long enough for a DoS.

      * Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
 * Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.

Backport of aae5a96d5754ad34e48b7f673ef2411a3bbc1015 from master.