Why is there a limit at all? When you hash the password, it should be a fixed size no matter the password length. Make sure you're not just storing the password on its own.
I recently discovered that some password hashes take time proportional to the length of the password times the number of rounds. E.g. if bcrypt work factor is set to 16 and you have a 1M byte password then the time is proportional to `1000000 * 2^16`
Why it doesn't first hash the password so it's `1000000 + len(hash) * 2^16` is beyond me, and something a crypto expert will have to answer.
In practice this means that setting an arbitrarily high limit on password size would open you up to a DOS attack via (effectively) quadratic time password hashing.
Thank you for that. Note: the trouble is that if you use a password manager it will create arbitrarily long and very secure passwords for you that _far_ exceed what you would expect for a "normal" limit.
5.1.1.2: "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length." [1]
I use a common password manager and its max generated password length is 64, so it's in agreement with NIST. That said I am able to manually add characters to increase beyond 64.
Yeah, you should be storing the password hashes in the DB, not the passwords. The hashes are going to be the same length regardless of the password's length.
If you wanted to get real fancy, hash the password once on the client side (reducing it to a known length), then again on the server. You should also be using a per-user salt to prevent a rainbow table from being generated if your DB is leaked.
Edit: Its fixed now. Increased to 128