Why Limit Password Length?

Question

I see it all the time, enter a password that's at least 8 characters (good), but no more than 20 characters (why?) I don't even see how it makes things easier for a dev. Who benefits from this restriction? I can understand limiting it to 200 characters, but why something small enough that it discourages pass phrases?

mtmail · Accepted Answer

On the server side the password is often hashed multiple times, with brcypt so calle stretches. From the documentation of my web framework
"Note that, for bcrypt (the default algorithm), the cost increases exponentially with the number of stretches (e.g. a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation)."
With a high security configuration server side and allowing long passwords you can open the possibility of DDoS attacks: the attacker could create many account effectively consuming all CPU cores.
That's my understanding. I chose the latest recommended value, I think 11, ran tests with 128 character passwords (the limit I set) and was ok with the performance. Tested 1000 character passwords as well and indeed the website became unresponsive.
Other websites might use older configuration based on older recommendations or hardware specs. I'm not saying that's the explation, but it's one of the reasons.

sadaffodil · Answer

Websites that limit password length or use those innane password requirements are the bane of my existence. They force me to create stupid passwords with symbols and weird capitalizations that I will never remember, forcing me to write them down somewhere or manually add it to a password manager. For many people, it's more convenient to just reset the password every time they need to use these websites because of their bs password requirements.

dangwu · Answer

Also, why limit special characters? I've run into several websites not let me use characters like exclamation marks.

db48x · Answer

There really isn't a good reason. After all, once you hash the passwords they're all the same length.