TYPO3 Core

Hi core team!

In the user settings form, when a new password with more than 100 chars is entered, it is truncated to 100 chars (of the plaintext password). Then the salt instance gets only the 100 chars and creates the password hash. Which leads to the situation, that a user can change his password to a value that is in fact not his password.

I think this could be solved by adding a 'maxlenght' attribute to the password fields (like in be_users tce form) and a check on the server side to prevent too long passwords to get saved (maybe by adding a 'max' option to the password fields in $GLOBALS['TYPO3_USER_SETTINGS']['columns']?).

Or for the sake of user-friendlyness it would be a nice touch, when the 'maxlenght' attribute would be omitted in favour of a js-based check which won't let the user submit the form and tells him about the problems (surely leaving the server-side check in place).

All TYPO3 versions from 6.2 through master are affected.

What do you think?

Regards, Chrstian