[layer8]

Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters. The speed of password hashing (which is deliberately designed to be slow to impede brute-force attacks) might also significantly depend on input length, hence overly long input may take too long to hash. Other than that, and general limits on request size, there is no good reason. On the other hand, since the hashes are usually fixed-length, you also don’t gain anything by using overly long passwords.

[AquiGorka]

> Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters.

Ahh, I was not aware of this limitation, thank you for clarifying. If I sign up for a service that does not allow up to 72 chars does it mean their hashing algorithm is of lower quality?

[layer8]

I don't think such an inference can be made.

[mtmail]

If the hashing takes too long (e.g. 5-10 seconds) the website also risks a denial of service attack.

[layer8]

Yes, though if you do both client-side and server-side hashing (which might be a good idea [0]), then the server only receives the fixed-size client hash.

[0] https://security.stackexchange.com/a/100517