[Sosh101]

Doesn't a max length suggest that they are storing passwords rather than hashes?

[borplk]

It doesn't necessarily mean that.

A limit always exists. If you don't enforce it yourself you will find out when someone decides to send you 64GB of data to hash as their password. So always better enforce the limit yourself.

[PUSH_AX]

Sure could be, but to play devils advocate maybe not, some hashing libraries have limits (silent truncation or otherwise) and/or it could be reasonable not to allow users to make the backend hash strings of unbounded length.

These specific limitations indicate that it's more likely to be something bad however, it's funny because I remember adding EasyJet to https://github.com/dumb-password-rules/dumb-password-rules/p... last year.

[thephyber]

Not guaranteed, but it suggests that their company processes aren't Password Manager friendly.