Actually, if this is the case, then it seems reasonable as a transitional step towards actually allowing longer than 16 character passwords. This way users will start entering the 16 characters of the password that is hashed (hopefully) and stored, then users won't enter their longer truncated password when longer passwords are allowed.However, this transitional step could be skipped with a truncated password flag that is set for all old passwords, and cleared for new passwords. Although, this would mark easier targets if the table is dumped through an SQL injection.
No comments yet.