Comment 11 for bug 1175906

As you can currently configure the number of rounds I think it makes sense to be able to configure the maximum password length rather than using a hard coded value. This will give the administrator better control over their environment.

TBH I don't like the truncating approach. To me it seems like you are trying to 'fix' invalid input and continue like nothing has happened. IMO Any password that exceed the maximum password length should be rejected as invalid input (as really that is what it is).