[krapp]

The only justification i've ever heard is that it's an attempt to prevent DOS attacks by forcing a site to try to hash multiple insanely long passwords.

I don't know if that's even valid though, it doesn't sound plausible to me.

[kevin-brown]

It's plausible enough that Django released 1.5.4 to limit password length. Yes, they later 1.5.5 which removed the limit, but it still showed that it was a possible problem in some implementations.

https://www.djangoproject.com/weblog/2013/sep/15/security/