I have a production site using the Encrypted style password storage from the SQL Membership Provider and for particularly long passwords we're getting the exception:
The password is too long: It must not exceed 128 chars after encrypting. Parameter name
newPassword.
This is being thrown from MembershipUser.ChangePassword(string oldPassword, string newPassword), although the stack may go a little deeper.
What maximum length do I need to limit my users to so that we don't see this error if they provide a password of that length?
I realise that we should really have been using Hashed which should result in a more consistent result, but as a short term fix before we convert all the existing passwords I'd like to reduce the maximum number of characters a user can enter to keep the encrypted length under this limit.
According to the documentation, it is exactly 128 chars in the database. It also can vary with the encryption strategy and what is in the string.