While investigating password limitations we found, that the current usage is somewhat inconsistent. Some examples to illustrate the problem at hand:
agent/genkey.c in agent_ask_new_passphrase: "size_t len = 100;"
agent/call-pinentry.c in agent_get_passphrase: size_t len = ASSUAN_LINELENGTH/2;
agent/genkey.c in agent_ask_new_passphrase: "pi->max_length = MAX_PASSPHRASE_LEN + 1;"
There are various limits in use. So to avoid chaos and usability issues,
- Decide on a good limit to use
We think the limit of 100 characters is too strict. Can we up the limit to 250 characters (or even 500 if there are no objections)?
- Use that limit consistently
Check locations where a limit may be use and double check they all use the same limit.
- How to deal with users using passwords in existing keys which are longer than the current limit?
We have at least one user report, where a user used a really long password and would then be unable to update the password.