Searching the internet for #CARP, many sites recommend using a password length of 30 characters. #FreeBSD silently truncates it to 19. The Debian manpage of #ucarp claims to support 20 characters, but refuses to run given more than 19.

So why exactly 19 characters? 20 is the size of SHA-1 hashes and a comment in ip_carp.h suggests that CARP is supposed to use such a hash derived from a password. However, actual implementations treat it as a null-terminated string.