[Klathmon]

I'm really surprised at maximum character lengths.

I use a password generator that defaults to 256 characters, and literally nobody has allowed that yet that i've tried.

It's funny the arbitrary numbers some cut off at.

Many limit it at 32, a strange number at 40 for some reason, a few at 60, and others still will silently truncate it to some number on the signup form, then forget to truncate the login form...

[LeoPanthera]

256 characters is ~1536 bits depending on what characters you use.

There is secure, and there is silly. NIST recommends 80 bits for passwords. Anything over 128 bits is excessive, anything over 256 bits is silly.

[Klathmon]

I'm not complaining about them not supporting 256, I just find it strange the arbitrary limits imposed.

A site I signed up for today limited it at 42. Why?

And even if 128 is way over excessive, does it actually make a difference to the server? Obviously you don't want to be hashing multi megabyte passwords, but don't most password hashing systems need a certain sized key to work, so it's padded out to that point anyway? And once it's processing further "iterations", the size of the first password is pretty much irrelevant.

[pfg]

bcrypt, for example, is limited to 50-70 character inputs, depending on the implementation.

[ajmurmann]

If you use a password manager there is practically no cost to the user to use any number of characters. Why not go for something insanely large from the user perspective?