This is very similar to 2.6.1 but fixes some problem with a missing admin file (also fixed in 2.6.2) and a potential DoS security issue.
We thank them for discovering and reporting it.
In web2py 2.5.x and earlier we suffer from the same problem. This is because while the default password validator checks for length, the check is performed after hashing, before inserting the hashed password in database. In 2.6.1/2 we have a different implementation of the hashing algorithm and we do not know how severe the problem is.
In any case 2.6.3 fixes the problem by truncating the password to 1024 chars when passed to the CRYPT validator.
You should upgrade.
Massimo