Comment 7 for bug 1175905

Instead of returning HTTP 500 (ISE), the simplest fix is to just return HTTP 400. Lets be fair, if a deployer configures a longer maxium password than passlib can handle, it's either a 500 or a 400. In this case we can determine what the correct size would be and we should raise up a 400 Bad Request.

This is an edge case, but handling it elegantly is better than letting it just fail in an ugly way.