I'm aware of this. It's due to the nature of hash functions: they each produce a fixed length byte array. SHA-1 always produces 160 bytes; SHA-256 always produces 256 bytes. The bytes are encoded into printable characters using the character set you define, but that character set is a radix. The more characters in the set, the more bytes can be encoded by a single character.
The only way around this is to repeat the password to meet the requested password length.
Is this an acceptable fix?
Thanks for the replies!
Three things:
(1) I don't understand what increasing the number of characters inputted has to do with the outputted password length. With 100 characters, the outputted password matches the requested password in length. With 200+ characters, the outputted password is shorter. With 10,000 characters, it's quite a bit shorter.
In my confused mind, if the # of characters inputted really has to affect the outputted password length, wouldn't it be more secure (than repeating the password) to pick a
random set of x (max number of characters) characters from the inputted set?
(2) Repeating the password or whatever solution is done runs the chance of altering existing passwords, so like other fixes, it probably should only be done with new passwords.
(3) I would suggest that if there's a warning, it should give the max input characters and max password length so people aren't having to play around to find those values...
Anyway, sorry for the confusion. I regularly use very long passwords; I think it was the addition of the random feature that brought this issue to the fore, as it's now simple to have input character sets of whatever length you wish.
Edit: I guess it can't be random, silly me. :)