I have a password combined with numbers and letters. The last 2 characters of my password are numbers, and they can be used to make differend passwords.
Example ( this is not my password below ) :
eH5xU45
The differend passwords you can use to login would be :
1) eH5xU
2) eH5xU4
3) eH5xU45 but also :
4) eH5xU329847
5) eH5xU324237492387482374927349
and much and much more ....
I found the bug, when I forgot the last 2 numbers at the end of my password.
Confirmed, although when I tested it myself, entering "12345678" (in the webinterface) worked for both "12345678aa" and "1234567890123456", so it "feels" like the password is truncated somewhere...
I agree with exp, longer passwords are sometimes easier to remember, but the chance of making errors during typing those longer passwords will increase.
1) limit the password editing boxes to 8 chars
2) write something near the editing boxes about the limits
3) leave it as it is (do nothing)
4) using an alternative crypt
5) vote about it
I don't know how many users have a password longer than 8 chars. And because it's all encrypted in the database (I assume), I think we cannot gain more information about it.
I also have a database with users. But I use md5 as crypt.