[tcaputi]

64 bytes is a bit arbitrary. Up until now I had not heard any complaints about this since most people I know who would use a 64 character passphrase are using a password manager instead. I am adding a test to the PR today and when I do I'll bump it to 512 bytes. We don't want arbitrary password lengths to prevent crazy amounts of passphrase hashing.

We use PBKDF2 as a key derivation function, which is specifically designed to turn low entropy, arbitrary length strings into fixed length, high entropy keys suitable for encryption. It also has the added bonus of making password brute forcing significantly harder.