During the site install, I created an admin account with a 256 char random password. The password was generated in Keepass, and copied/pasted into the form. I was able to log in when the install completed, perhaps with the help of the browsers' autocomplete. I created an author account with another long password the same way. I logged in successfully as the author and posted some dummy content.
However, a day later, I am unable to log in to either account. I notice that the maxlength attribute on the password field is 60, and if I remove that attribute and then submit the form, Drupal gives me an error message:
Password cannot be longer than 60 characters but is currently 256 characters long.
Edit: I just noticed that when changing a password, the maxlength of the password fields are 128. However, when logging in, the maxlength is 60.
Update the core user module and the new password form(s).
Edit a core module and a core template?
User interface changes
Display all of the password criteria, including maximum length and restricted characters, when a user is setting a password.
Consider setting the max password length to a larger value, 60 seems arbitrary and small. Maybe 1KB or so?
As a workaround, I changed the admin password directly in the database using user_hash_password().
For the record, this install is running in WAMP on Windows 7, and I believe that drush is unavailable.
PASSED: [[SimpleTest]]: [MySQL] 190 pass(es). View
FAILED: [[SimpleTest]]: [MySQL] 50,744 pass(es), 1 fail(s), and 0 exception(s). View
FAILED: [[SimpleTest]]: [MySQL] 50,632 pass(es), 27 fail(s), and 16 exception(s). View
PASSED: [[SimpleTest]]: [MySQL] 49,382 pass(es). View