allows the user to change password to length more than max

Account Management works with 40-character passwords. It accepts at least 128 characters, however.

Account Management actually informs the user that the maximum is 40 charaters, but Account Management does not, thus allowing the user to change his password to an invalid value silently.