Comment 9 for bug 1175906

Would it be possible to present option 1 as option 2. That is to say, create a maximum password length setting that in reality truncates password input. This would perhaps satisfy the 'dont break stuff' requirement (you could truncate to 256 by default) while also allowing deployers to decide what cpu/complexity tradeoff they'd be happy to accept?