fix: increase password length to 128 chars

[CharlVS]

Remove 40-character input limits from password fields to prevent truncation and ensure consistent validation of long passwords.

---

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cursor/fix-password-validation-bug-1868

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Visit the preview URL for this PR (updated for commit e8306b6):

https://walletrc--pull-3141-merge-8xgadwgu.web.app

_{(expires Tue, 23 Sep 2025 13:40:48 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: f66a4ff03faa546f12f0ae5a841bd9eff2714dcc}

[smk762]

Unrestricted length inputs frighten me. Suggest a permissive, yet sane limit of 1024.

I consulted an agent for recommendations, pasted below:

---

I pulled guidance from RFC 9106 and standards (NIST, OWASP) to answer precisely.

• Short answer: Argon2id itself accepts passwords up to 2^32−1 bytes (~4.29 GB). For production services, standards recommend allowing at least 64 characters without truncation; a practical cap of 128 characters is commonly recommended and aligns with best practice.

Why:

• Algorithmic max (not a practical limit): Argon2 per RFC 9106 supports inputs up to 2^32−1 bytes.
• Usability/security guidance: Verifiers should permit at least 64 characters and not truncate; many orgs choose 128 as a safe, user-friendly cap.
• DoS considerations: Extremely long inputs can be abused; a sane upper bound (e.g., 128–256) mitigates risk while not weakening security.

Recommendation for this app (after removing the 40-char limit in the PR):

• Accept and hash passwords up to 128 characters (no truncation), with client and server-side validation consistent.

References:

• RFC 9106 (Argon2): https://datatracker.ietf.org/doc/html/rfc9106
• NIST SP 800‑63B §5.1.1.2 (permit at least 64 characters, no truncation): https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret-verifier
• OWASP Authentication Cheat Sheet (allow ≥64; many implementations use 128): https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#password-length

I reviewed the standards and propose setting a 128-character cap with no truncation to align with NIST/OWASP while preventing DoS from excessively long inputs.

---

[CharlVS]

@cursoragent, increase the max password character limit to 128 throughout the app. Include a TODO about adding the same changes to the SDK.

[cursor]

I standardized the maximum password length across the application by introducing a new constant and applying it to all relevant password input fields. This ensures consistent validation and user experience for password entry throughout the app.

• I added a const int passwordMaxLength = 128; to lib/shared/constants.dart to define a global maximum password length.
• I updated numerous TextFormField widgets across the application to enforce this new passwordMaxLength. This includes password fields in TrezorDialogSelectWallet, PasswordDialogContent, PasswordUpdatePage, CreationPasswordFields, WalletDeleting, WalletImportByFile, and WalletLogIn.
• For all updated TextFormField instances, I also set counterText: '' to hide the default character counter, providing a cleaner UI.

---

4 tasks completed

• Add passwordMaxLength=128 to shared constants
• Apply maxLength to all password entry fields across app
• Add TODO note to mirror changes in SDK
• Run linter on edited files and fix issues

_{Learn more about Cursor Agents}

[smk762]

Confirm has hard limit of 128 char ✔️
An edge case exists, where if user enters a longer password, there is no visual feedback to indicate that the limit has been exceeded. This may result in users with excessively long passwords to be unaware that the excess chars were not included.

This is P2: low probability occurrence with mid-level UX impact. It shouldn't lead to loss of funds - input on login in similarly constrained, and could be resolved with a simple support query if needed.

Content to approve in current state and delegate the above comment to an issue if resolution would further delay release.

[CharlVS]

@cursor review

[Copilot]

Pull Request Overview

This PR increases the maximum password length from 40 to 128 characters across all password input fields in the application to prevent truncation and ensure consistent validation of long passwords.

• Removes LengthLimitingTextInputFormatter(40) from password fields
• Adds a centralized passwordMaxLength constant set to 128 characters
• Updates all password input fields to use the new length limit with hidden counter text

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
lib/shared/constants.dart	Adds new passwordMaxLength constant set to 128 characters
lib/views/wallets_manager/widgets/wallet_login.dart	Updates password field to use new length limit
lib/views/wallets_manager/widgets/wallet_import_by_file.dart	Updates password field to use new length limit
lib/views/wallets_manager/widgets/wallet_deleting.dart	Updates password field to use new length limit
lib/views/wallets_manager/widgets/creation_password_fields.dart	Removes old 40-character limit and applies new 128-character limit
lib/views/settings/widgets/security_settings/password_update_page.dart	Removes old 40-character limit and applies new 128-character limit
lib/views/common/wallet_password_dialog/password_dialog_content.dart	Removes old 40-character limit and applies new 128-character limit
lib/views/common/hw_wallet_dialog/trezor_steps/trezor_dialog_select_wallet.dart	Updates passphrase field to use new length limit

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[CharlVS]

Confirm has hard limit of 128 char ✔️ An edge case exists, where if user enters a longer password, there is no visual feedback to indicate that the limit has been exceeded. This may result in users with excessively long passwords to be unaware that the excess chars were not included.

This is P2: low probability occurrence with mid-level UX impact. It shouldn't lead to loss of funds - input on login in similarly constrained, and could be resolved with a simple support query if needed.

Content to approve in current state and delegate the above comment to an issue if resolution would further delay release.

@smk762 Please do create an issue.