I'm not complaining about them not supporting 256, I just find it strange the arbitrary limits imposed.
A site I signed up for today limited it at 42. Why?
And even if 128 is way over excessive, does it actually make a difference to the server? Obviously you don't want to be hashing multi megabyte passwords, but don't most password hashing systems need a certain sized key to work, so it's padded out to that point anyway? And once it's processing further "iterations", the size of the first password is pretty much irrelevant.
If you use a password manager there is practically no cost to the user to use any number of characters. Why not go for something insanely large from the user perspective?
A site I signed up for today limited it at 42. Why?
And even if 128 is way over excessive, does it actually make a difference to the server? Obviously you don't want to be hashing multi megabyte passwords, but don't most password hashing systems need a certain sized key to work, so it's padded out to that point anyway? And once it's processing further "iterations", the size of the first password is pretty much irrelevant.