Change Details

While investigating password limitations we found, that the current usage is somewhat inconsistent. Some examples to illustrate the problem at hand: agent/genkey.c in agent_ask_new_passphrase: "size_t len = 100;" agent/call-pinentry.c in agent_get_passphrase: size_t len = ASSUAN_LINELENGTH/2; agent/genkey.c in agent_ask_new_passphrase: "pi->max_length = MAX_PASSPHRASE_LEN + 1;" There are various limits in use. So to avoid chaos and usability issues, 1. Decide on a good limit to use We think the limit of 100 characters is too strict. Can we up the limit to 250 characters (or even 500 if there are no objections)? 2. Use that limit consistently Check locations where a limit may be use and double check they all use the same limit. 3. How to deal with users with passwords longer than the curernt limit? We have at least one user report, where a user used a really long password and would then be unable to update the password.

While investigating password limitations we found, that the current usage is somewhat inconsistent. Some examples to illustrate the problem at hand: agent/genkey.c in agent_ask_new_passphrase: "size_t len = 100;" agent/call-pinentry.c in agent_get_passphrase: size_t len = ASSUAN_LINELENGTH/2; agent/genkey.c in agent_ask_new_passphrase: "pi->max_length = MAX_PASSPHRASE_LEN + 1;" There are various limits in use. So to avoid chaos and usability issues, 1. Decide on a good limit to use We think the limit of 100 characters is too strict. Can we up the limit to 250 characters (or even 500 if there are no objections)? 2. Use that limit consistently Check locations where a limit may be use and double check they all use the same limit. 3. How to deal with users with passwords longer than the current limit? We have at least one user report, where a user used a really long password and would then be unable to update the password.

While investigating password limitations we found, that the current usage is somewhat inconsistent. Some examples to illustrate the problem at hand: agent/genkey.c in agent_ask_new_passphrase: "size_t len = 100;" agent/call-pinentry.c in agent_get_passphrase: size_t len = ASSUAN_LINELENGTH/2; agent/genkey.c in agent_ask_new_passphrase: "pi->max_length = MAX_PASSPHRASE_LEN + 1;" There are various limits in use. So to avoid chaos and usability issues, 1. Decide on a good limit to use We think the limit of 100 characters is too strict. Can we up the limit to 250 characters (or even 500 if there are no objections)? 2. Use that limit consistently Check locations where a limit may be use and double check they all use the same limit. 3. How to deal with users with passwords longer than the curercurrent limit? We have at least one user report, where a user used a really long password and would then be unable to update the password.