The only practical reason to have length limits now is to reduce DoS attacks via posting crazy long data to the server. But can be mitigated by hashing on the client before submission, and again salted hashing on server before storing.
Discussion
I understand that there has to be some maximum for a number of reasons. 20 characters isn't long enough for me to even meet modern password recommendations though. I run into sites with even smaller limits regularly.
Insecure by design.
And while weβre at it, how about stupid restrictions on what characters you can use? Punctuation too good for ya?
