[thih9]

Good point, that was too simplistic. Then again, I guess longer passwords could be preprocessed with another hashing function, one that returns a string of X bytes?

My point is that throwing a "password too long" error, especially for 32 characters or less, feels like a wrong approach to me; no matter the circumstances or the amount of backward compatibility that has to be kept.

[kenniskrag]

I understand your point but then password shucking can be problematic: https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...

[thih9]

What do you mean by problematic? The source links to YT and I can’t view a YT link.

I assume “problematic” here means “difficult but possible”. If problems arise then I guess it’s a matter of priorities; but I think that not inconveniencing the user with password length limits should be high priority.