Merge changes If70bf233,Ie90ccc80 into stable-2.9

* changes:
  Increase the size of HTTP passwords
  Do not throw away random bytes from the CSPRNG

2 files changed, 4 insertions, 4 deletions

diff --git a/Documentation/rest-api-accounts.txt b/Documentation/rest-api-accounts.txt
index 28014295f9..2276e40dc1 100644
--- a/Documentation/rest-api-accounts.txt
+++ b/Documentation/rest-api-accounts.txt
@@ -269,7 +269,7 @@ Retrieves the HTTP password of an account.
   Content-Type: application/json;charset=UTF-8
 
   )]}'
-  "ETxgpih8xrNs"
+  "Qmxlc21ydCB1YmVyIGFsbGVzIGluIGRlciBXZWx0IQ"
 ----
 
 If the account does not have an HTTP password the response is `404 Not Found`.
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
index f7061e3738..c814fb89ad 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
@@ -43,7 +43,7 @@ public class PutHttpPassword implements RestModifyView<AccountResource, Input> {
     public boolean generate;
   }
 
-  private static final int LEN = 12;
+  private static final int LEN = 31;
   private static final SecureRandom rng;
 
   static {
@@ -124,8 +124,8 @@ public class PutHttpPassword implements RestModifyView<AccountResource, Input> {
     rng.nextBytes(rand);
 
     byte[] enc = Base64.encodeBase64(rand, false);
-    StringBuilder r = new StringBuilder(LEN);
-    for (int i = 0; i < LEN; i++) {
+    StringBuilder r = new StringBuilder(enc.length);
+    for (int i = 0; i < enc.length; i++) {
       if (enc[i] == '=') {
         break;
       }