diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 4c4a12355d22f..386987842c2eb 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -121,7 +121,7 @@ public function logout() {
 
 		$response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
 			'core.login.showLoginForm',
-			['clear' => true] // this param the the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
+			['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
 		));
 
 		$this->session->set('clearingExecutionContexts', '1');
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index fadfa242b939e..e7960dbcef582 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -240,6 +240,10 @@ public function setPassword(string $token, string $userId, string $password, boo
 			$this->eventDispatcher->dispatchTyped(new BeforePasswordResetEvent($user, $password));
 			\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', ['uid' => $userId, 'password' => $password]);
 
+			if (strlen($password) > 469) {
+				throw new HintException('Password too long', $this->l10n->t('Password is too long. Maximum allowed length is 469 characters.'));
+			}
+
 			if (!$user->setPassword($password)) {
 				throw new Exception();
 			}