Comment 7 for bug 1175906

I see two ways out of this:

1/ Consider this a vulnerability and adopt the truncating approach (benefit is that you don't break anyone on upgrade, drawback is that you're potentially lowering expected complexity, as Rob points out. With 256 characters this may be a non-issue though).

2/ Consider this a performance issue and make password length configurable in future versions, but default to 4096 so that nobody is broken on upgrade.

I'm fine with either solution... I just don't see other solutions that let us solve this without breaking people on upgrade.

Thoughts ? Preferences ?