In the database, the hashed password is stored in a field that can store up to 60 characters.
My question: is there an upper character limit on the unhashed (user-chosen) passwords, or will the hashing procedure always keep it below a certain length? – (Eg. how strictly should I validate its length upon registration?)
Edit:
Based on the article linked by Dave White, I’ve tried setting an 1001 character length password, just to see if it’s possible. Although it almost froze the admin panel, but set it successfully, and login was possible.
Looks like the hasing algorithm shortens even the longest of passwords to a certain length, but I would like to hear confirmation from people more knowledgable in cryptography.