The user_pass field in the evo_users table is limited to 32 characters, or at least that's what I think "varchar(32)" means. Therefore shouldn't one have all these values match?

By the way I don't see this as a bug. It is a lack of information that resulted in an undesirable situation, but that's not what I would consider a bug. http://forums.b2evolution.net/viewtopic.php?t=5602 touches on the topic without giving a method to increase the length - as you have - but it does offer a method to inform the blogger of both upper and lower character count limits.

ok, this forum is a little screwy, I just posted this and the post appeared in the thread, now the post has vanished, so I'll post the same reply again

ebd, thanks for replying, albeit this is the second and probably shorter version :) the reason why the 32 character limitation is because MD5 always outputs a 128bit (32 character) hash of whatever input string happens to be, you could have a 200 character password and the MD5 of that, would be 32 bytes long, you can find more about MD5 here (first link google gave me)

http://bfl.rctek.com/guides/?guide=md5

the reason it's a bug? bugs are usually undesirable effects of software programming which probably weren't thought through, as a result a limitation which is undisclosed is imposed upon us, therefore when you enter your 30 character password, you can't login anymore, in web development terms, thats a bug :)

(you may also be interested to know that I've made a modification of your upcode idea, which now doesnt involve a separate window and can support inserting code at the cursor postion, if you're intersted, email me)

(copy/pastes this text just in case it DISAPPEARS again)

chris

and this isnt a bug, so I will move this entire thread.

what? it's "not" a bug? you're tripping, perhaps a cluebat is in order, but whatever, your opinion doesnt change the fact that b2evolution had a bug and I fixed it

perhaps you can explain why an "undocumented feature" is NOT a bug? thats what a bug is, something which the program "shouldnt" do but DOES

jees, I guess thats what you get for employing people as forum admins who arent software developers

You're definition of 'bug' is rather wide open. Seems like anything you want the software to do that it doesn't do would be a bug, but let's look at this differently. Suppose the dev team decided you were right and implemented your 'bug fix', then someone comes along who wants a password with 41 characters. It won't work, which means what? Your solution is also a bug? NO, and for the same reason this is not a bug: the software is doing exactly what it is supposed to do.

http://en.wikipedia.org/wiki/Software_bug

well I guess firstly I should point out that it's not something I *want* the software to do, it's something I wanted to do, which the software gave me no impression was impossible, until I came to login, then couldnt. Hence the software had a bug in that it would behind the scenes, limit the input of a password to a length which is unspecified.

according to your wikipedia, which most people regard as a repository of crap information see the latest "The register "article here:

(IRONY ALERT in choosing the register as a source)

http://www.theregister.co.uk/2005/10/18/wikipedia_quality_problem/

from your article:

"A software bug is an error, flaw, mistake, failure, or fault in a computer program that prevents it from working as intended"

the error being choosing a maxlength for a password field, where no length is actually needed or required

the mistake, is not putting this forward as actual intended behaviour, it seems someone just "decided" to make it 20 and not tell anyone, or assume that nobody would ever hit the limit, reading the src code reveals that nobody actually documents a 20 character limit, or at least, I've not come across that comment in the code yet

the failure, is that when you goto login, you can't and have to reset your password and try again, several times I might add, before I found the problem

the "prevents" would be for someone to be locked out of their blog until the admin can reset it, only for them to lock themselves out again, not knowing the problem ISNT with the password, but with the software

so even according to your wikipedia article, it's a bug

of course the FIX is to remove the limitation altogether, I toyed with the idea today, or just removing the field and letting you enter as much as you wanted, I guess thats the "end game" of this bug

kosh, your rudeness is unecessary, perhaps a lesson in manners is in order. In the end, its Francois' call on whether or not it's a bug -- if he considers it one, he'll take care of it. If not, well then, he wont.

IMHO we should have simply no maxlength for the password inputs.

Setting it to 40 will only arise the next issue with it.

*edit*: I've unlocked the topic. Please calm down everybody.

this is, incidentally, is what I ended up doing, I realised what you said and thought, why not just remove it?

kosh, why has this happened to you anyway? Are there different password input maxlength values used?

Or did your browser not respect them once, but the other time?

Just curious..

well, I like to use passphrases and not passwords, instead of df8fj4h489 as my password, I use thelifeofthewifeisendedbytheknife

so you can see, 20 character maxlength just ISNT enough, 40 might not be, but I doubt anyone would want a password that long, I think it's long enough, but you are right, someone EVENTUALLY is going to end up typing more than 40 chars because "they can" and we will all be in the same situation, removing the limit completely is the best way to go, since there is no sense in imposing a limitation in the first place. It's not like there is a purpose to the limitation, so removing it was the way to go.