I've noticed a problem relating to a difference between your password reset page and the login page.
On your password reset page, you (inexplicably!) restrict passwords to 25 characters in length. However this is not mentioned at all on the page. You only state the restrictions for minimum length, letters/numbers/symbols - no max length.
I use a password manager (best practice) to store my logins and usually my passwords are at least 30 characters long. When I created and pasted my password into your site, because your reset page has a max length of 25 characters on the input field, it simply truncates the rest of the password I created, and doesn't say a thing. So I update the password thinking I've now changed it to 30 characters but it's actually 25.
Then, on the login page, there is no restriction on password length, so I paste in my 30 character password and it fails - because you don't truncate your passwords on the login page.
This means that you've got a functionality difference between the reset and login pages. You restrict it on the reset page but not the login page. Further, you restrict passwords to 25 characters which is quite a small amount. I can't think of a good reason why you would restrict passwords to anything less than 100 characters. Ultimately, when the password goes into your system, it gets hashed (or it had better!) and converted into a string with a length that's the same as all the other passwords, so it has nothing to do with storage restrictions.
So, I have several points:
- You need to be up front about password length limits. You mention min 8 chars but don't mention max 25! You simply truncate a password longer without mentioning anything (UX flaw).
- Your login page has no restrictions on the password length. So if I create one in my password manager and paste it over, it's not cut cut off (UX flaw).
- There's no good reason why you restrict password length to that short. Seriously! If you have technical reasons, that's veryworrying (security flaw).