user-groups: fix potential problem with group sync of external plugins.
- when using external plugin we used to check for a parameter that set the
sync mode. The problem is we only checked if the flag was there. So
toggling sync on and off set the value and then left the key still set
but with None. This confused the sync and thought the group should be
synced !
security: limit the maximum password lenght to 72 characters to prevent possible
server side resource consumption attack.
- bcrypt heavy computation can lead to DOS using a very long password .eg 10**8 lenght.
- we allowed this on registration or on password update