[tracker1]

Yeah... I feel if you're limiting input that limit should at LEAST be 64-100 characters or more. Then, since you're hashing anyways, I wouldn't worry too much about limits (other than practical check times, for creation complexity requirements, etc).

The other side is to use a fairly expensive hash, and methods to mitigate/reduce use of a login system as a DDOS vector... having the system, and database used for authentication separate from your actual application is a good start, as is exponential backoff on bad passwords by IP and username.

Moving to a separate "auth" domain that returns a signed or encrypted token, and having that in isolation won't stop your processes from running if you get too many requests for auth at once. Having an exponential and random wait before returning from a failed login is another. Keeping track of IP/user requests in an N minute block is also helpful.

token re-auth may be on the auth domain, or the actual service domain, so that can be different.