The password length is artificially limited to 10 characters by the Smarty templates used when adding or editing a user. Since passwords are stored as 128 bit MD5 hashes, the max password length should be 32. The below patch to the involved Smarty templates increases maximum password length to 32.
Fixes #202 - password length
Refactored UDF into mvc