Murph Murphy

There is a stated 72 character password length limit. That limit is validated on login so passwords longer than 72 characters will fail login. It's truncated to in the account creation form, so putting in a password longer than that won't fail form submission validation, it'll result in an account with a password truncated to 72 characters.

This inconsistency can result in users creating an account successfully, then putting in their password to login and being told the password they just created the account with is incorrect.

Expected behavior: Either also truncate the login form to 72 characters, or apply validation to the creation form that doesn't allow more than 72 characters in a password instead of truncating. Either a way is fine, but the behavior should be the same in both forms.