Minor Issue with Password change procedure
As a retired I.T. geek, I'm perhaps a lot more cautious about computer security than most people. So the first thing I always do on a new site is change to a new, long password. My password manager (1Password) is set to generate a 30 character random password when I need a new one.
Which "seemed" to work just fine when I did the "old ... new ... verify" process on the account page. No errors or anything and the password was changed. However, I could not login when I tested it on a different machine.
Fortunately (being a paranoid sort), I was still logged in on my laptop and was able to determine that the reset page and the login page both silently discard anything over 20 characters. However, the reset page ignores the extra and succeeds in changing the password, but the login page fails with no indication why.
Perhaps you could put a message on the password reset page indicating the 20 character maximum length.
Yes, the forum software imposes a 6-20 character restriction on passwords. I've changed the message on the password change section of the user profile page to reflect this.
"Never trust a computer you can’t throw out a window." — Steve Wozniak