[miorel]

  A third user thought the length limit suggested that the company may then be storing
  the password themselves rather than hashing them

This was my first thought at well, and none of the examples in the article refute it satisfactorily.

Is there any point at all to capping the maximum length? Are sites worried that if the 64-character limit is lifted, 64+ character passwords will become common, leading to a bad user experience?

[shawabawa3]

Well to be fair, there really is zero point from a security point of view in having a password longer than 64 characters. If someone does enter more than 64 they almost certainly have made a mistake (a copy-paste screw up for example).

And you do need some kind of limit to prevent people using gigabyte sized passwords.

[r00fus]

Most people using 50+ character passwords or phrases often use password management software like 1Password, Keepass, or browser-based, etc.

I do think an upper limit is valid, as allowing an arbitrary long string could be a form of DOS (imagine someone sending the library of congress as a password), but 64 characters seems kind of weak.

[shawabawa3]

> password management software like 1Password, Keepass, or browser-based, etc.

AFAIK all these programs allow generation of <=64 character password

> but 64 characters seems kind of weak.

A 64 character alpha-numeric password has 36^64 combinations. That's 2^330. You're trillions of times more likely to find a hash collision than brute force the password (assuming 256bit hashes).

Security-wise there is absolutely 0 difference between allowing >64 character passwords and not. From a user experience perspective I'm sure arguments could be made either way