Am I missing something? Why do passwords get length caps?
E.g. Atlassian caps at 100 chars. Why would they do so? Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters. The speed of password hashing (which is deliberately designed to be slow to impede brute-force attacks) might also significantly depend on input length, hence overly long input may take too long to hash. Other than that, and general limits on request size, there is no good reason. On the other hand, since the hashes are usually fixed-length, you also don’t gain anything by using overly long passwords. > Some password hashing algorithms have a maximum input size. For example, bcrypt is limited to 72 characters. Ahh, I was not aware of this limitation, thank you for clarifying. If I sign up for a service that does not allow up to 72 chars does it mean their hashing algorithm is of lower quality? I don't think such an inference can be made. If the hashing takes too long (e.g. 5-10 seconds) the website also risks a denial of service attack. Yes, though if you do both client-side and server-side hashing (which might be a good idea [0]), then the server only receives the fixed-size client hash. i found this interesting: Password length best practices
--What is the standard for maximum password length? Your passwords have to get quite long before you run into any limitations in the Windows world: the maximum length of a password supported by Active Directory is 256 characters. The maximum length of a password that a human user could actually type to log into Windows in 127 characters (the limitation is in the Windows GUI). 127 is probably quite impractical for a user to type, but might be good for admin accounts where passwords are checked out and copied and pasted from a password vault. Service account passwords that are almost never typed and possibly rarely changed (if ever) could stand to be longer still. https://specopssoft.com/blog/password-length-best-practices/ Length limits can help to avoid long processing time perhaps, so you should set a limit, but the limit should be long, maybe more than 100 bytes. varchar (100) ? Yeah I would assume it’s the max length of the column in whatever database they’re storing the hashed password