"for bcrypt (the default algorithm), the cost increases exponentially with the number of stretches (e.g. a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation)." Ruby on Rails defaults to 11 stretches, with better computers that number will increase, and it's recommended to not use below 10 in production systems.
Hackers, or rather security researchers, will try 1000 or 5000 long passwords, 10x per second, which like brings down the website, a DOS attack. Happened to me.
I'm not saying 64 character limit is a good limit, I have my settings at 128 after some testing, but any limit is advisable. A website owner just has to be realistic how long usual (not security researchers) users set their passwords and find a trade-off.