[shawabawa3]

Well to be fair, there really is zero point from a security point of view in having a password longer than 64 characters. If someone does enter more than 64 they almost certainly have made a mistake (a copy-paste screw up for example).

And you do need some kind of limit to prevent people using gigabyte sized passwords.

[r00fus]

Most people using 50+ character passwords or phrases often use password management software like 1Password, Keepass, or browser-based, etc.

I do think an upper limit is valid, as allowing an arbitrary long string could be a form of DOS (imagine someone sending the library of congress as a password), but 64 characters seems kind of weak.

[shawabawa3]

> password management software like 1Password, Keepass, or browser-based, etc.

AFAIK all these programs allow generation of <=64 character password

> but 64 characters seems kind of weak.

A 64 character alpha-numeric password has 36^64 combinations. That's 2^330. You're trillions of times more likely to find a hash collision than brute force the password (assuming 256bit hashes).

Security-wise there is absolutely 0 difference between allowing >64 character passwords and not. From a user experience perspective I'm sure arguments could be made either way