[KRAKRISMOTT]

You have to limit the content length on the server side to prevent requests from choking up. So usually instead of having to sync up requirements between client and server, lazy devs just choose a simple number and enforce it globally. Especially for a lot of enterprise apps the login forms are scattered across multiple systems built by various devs. Some random contractor might just add a length validation for cargo cult. Also some databases require you to specify specific string length for entries and inexperienced devs may not understand that hashes have a constant length output.