AmicitasNIST proposes barring some of the most nonsensical password rules
Any password length (within reason) and any character should be allowed. It’s going to be hashed and only the hash will be stored right? Length and character limits make me suspect it’s being stored in plain text.
dual_sport_dork 🐧🗡️You should probably have some safeguard to prevent jokers from uploading 14.2 gigabytes of absolute nonsense into your system’s password field just to see if they can make it crash. But I think limiting it to, like, 8 kB ought to be quite lenient for anything with a modern internet connection.
As others have noticed, various hashing functions have an upperbound input length limit anyway. But I don’t see any pressing reason to limit your field length to exactly that, even if only not to reveal anything about what you might be feeding that value into behind the scenes.
I usually do 256 characters. That’s long enough that most password managers top out anyway (mine tops out at 128), and it shouldn’t ever present a DOS risk. Anything much beyond that and you’ll go beyond the hash length.