i % l yields 0 at every multiple of the scramble length under Lua's 1-based strings, making strbyte() return nil and aborting auth for passwords of length >= 19. Use (i-1)%l+1, and guard the nil return of _encrypt_password.