Problem/Motivation
While working on #1777270: Write tests for: Users with passwords over 60 characters cannot log in via the user login block I discovered some unexpected behaviour when logging in with long passwords and writing a test for that.
I created a password of 521 characters and entered that at user/1/edit and it saved successfully and I could login with that password. I logged out and removed characters from the end of the password to make the password 511 characters long. I could successfully login with that as well. Further testing and found that the password max length in 128. I expected it to be 512 because of this const PASSWORD_MAX_LENGTH = 512; in \Drupal\Core\Password\PasswordInterface.
And when writing a functional test for this errors are shown that are not shown when manual testing. I don't understand that.
In the test I changed the length of the password and got the following results:
When the password length was 129 this message is shown, 'Password cannot be longer than 128 characters but is currently 129 characters long.' This is from \Drupal\Core\Form\FormValidator::performRequiredValidation.
When the password length was 512 this message is shown, 'Password: may not be longer than 255 characters.' This is from \Drupal\Core\Field\Plugin\Field\FieldType\StringItem::getConstraints.
I'd like to know why the user isn't informed of the actual password length and why the PasswordInterface uses 512 but one can't really use a password greater than 128 characters.
Proposed resolution
On #bugsmash, larowlan suggested this solution:
Support #maxlength on PasswordConfirm, and have the process plugin mirror that down to the two child password fields and then have AccountForm set a length on its use of password confirm.
That way we only change account form, and not all password confirm fields
Remaining tasks
Patch
Review
Commit
Smile