I like to use 1Password to manage and generate random passwords for sites such as this one. Going by the "strength" meter from 1Password, it usually takes 24-26 characters to generate a password with maximal strength. Furthermore, if users want to make use of pass-phrases instead of passwords (see https://www.xkcd.com/936/), they will likely require more than the current limit of 20 characters. I understand the point in setting some upper bound, but perhaps 32 or 64 characters would be better?

I would recommend an upper bound of 256 or 512 characters.

I personally use the max generated password size for lastpass (100 characters) so the suggestion of 64 characters would be too small for my usage.

As long as you are hashing passwords it has a minimal effect on your site (if 512 characters extra in a post are going to break your site, you have problems). It takes slightly longer to hash at the upper end but not much from what I understand (I haven't benchmarked it).

@jballanc 1Password looks like promising! I did not know it. I'll increase the password length as soon as possilbe.

@mordocai Hmm, 256+ password length is long, don't you think?

@ertugrulcetin I only know of two classes of reasons to limit password length.

1. The server is storing the passwords in plain text and wants to limit how big the database field is.
2. Limiting resource usage while transmitting and hashing passwords.

Since you are storing the sha256 hash, you would only be worried about 2. I would imagine (though I haven't checked) that the difference between sha256 hashing a 32 character password vs a 512 character password is insignificant, and I am quite certain it is insignificant at the network layer.

So my question is:
Why -not- have a 512 character password limit?

@jballanc @mordocai I tested with 128 chars it worked well and deployed it.
For now it does the job, I don't know what the 512 char pass will bring it, I think I'll do deeper test for 512 char.