Having been tearing my hair out wondering why my bot code can't log in a specific account for a few days now....
At least from the viewers perspective, logins are done via an MD5 hash of the password (which really makes the length constraint irrelevant as the MD5 output is fixed length regardless of input size).... I tried logging in with the viewer and this account, worked fine, but my bot would only get generic auth failure errors.
I eventually intercepted the Login XML document from firestorm to see how that was working and spotted the obvious MD5 mismatch, with me doing a replay attack through my bot working just fine...
I found this page while googling the "second life MD5 login", because I figured they were using some "modified" MD5 or something...
But no, just substring the first 16 characters of the password and MD5 hash that and you get the right hash, and it lets you log in.
Can't speak to the web login service, not poked that, but the viewer/agent login service only respects the first 16 characters of the password apparently. But the viewer masks this behaviour from you and lets you use >16 chars. But if i'm right, changing the last character on your >16 character password will still log you in fine, because it's truncated before being hashed.
Enjoy... I did.
Edit: Nothing complains at /registration/ time if you put too long a password in... Also website does the exact same truncation. I discovered this using a random 24 character password. Turns out if i take the first 16 characters of my password then I can then type whatever garbage I like after that and i can log in to my.secondlife.com too - same behaviour as the viewer basically.
Wonder if they store anything more than an MD5 hashed version at the SL end (doesn't seem to be any need to), and if not, is there any practical reason for the limitation? MD5 strings all come out as 16 characters anyway, so you can just take the extra chars into the hash. Though obviously a bit late to be changing this now