[chrj]

From the patch, it doesn't look like it's bytes, but characters.

[Perseids]

Where do you see this? In https://github.com/django/django/commit/aae5a96d5754ad34e48b... they specifically mention bytes.

[masklinn]

MAXIMUM_PASSWORD_LENGTH is used as the max_length of CharField. CharField are unicode, and thus if one reads no further than django/contrib/auth/forms.py and doesn't see MAXIMUM_PASSWORD_LENGTH is also used on KDFs input (which work on bytes) one may get the impression that it's a limit on code units.

[gsnedders]

Then it's Unicode code points, which are still am abstract concept to users. The only thing that's meaningful to users is graphemes — and with Unicode one grapheme can be formed of a potentially infinite number of code points (continuation characters stack, and can be repeated indefinitely), so you cannot practically use that for any limit.

[masklinn]

"characters" is an unfortunately common shortcut for "code points" as that's what unicode-based "char" types tend to mean.

And my comment was an explanation of an other user's, nothing more.