While I understand the argument, this is a Java library and itself doesn't have any such limit beyond the limits of a string string or char array.
That does not mean that there are not limits in stores that Plexus may want to provide an implementation for, however those implementations can handle the requirements of their stores in a way that makes sense for them. This component should not arbitrarily enforce limits that those implementations may or may not need.
Stores with a "hard coded upper limit" may truncate or use any other pattern that they need to use to satisfy the story they are implementing. To answer you question, here is my opinion:
- Do not state the upper limit in the error message, this I think would be a security problem.
- Upper limit if there is one must be configurable, preferably in-process to that an application using it (like Archiva) can provide their own limit or allow the user to change it though a UI.
- No truncation should occur. Allow implantations to truncate if that is truly what they need to do, but not all implementations will need to truncate and they should not receive a pre-truncated password under any circumstances.