Small rant incomming. I just went to look at applying to Walmart, and when going to make an account their password requirements were 8-11 characters. What kinda nonsense is that? Some terribly made backend I’d assume. It’s bad enough I gotta make a million accounts when applying to jobs but then you got my PII sitting behind such terrible password requirements it makes me wonder where else they are cutting corners on security.
There should be a maximum, but only to cover ridiculous cases, like users pushing a 5 Kilobyte password onto the server. Hashing is expensive.
While we’re at hashing: salting is important of course, but one should also not use any hash function, but one specifically made for passwords, such as argon2. If you just use plain old sha-2, that can still be computed with quite some performance on modern hardware, hence the need for hashing functions that take up performance in a controlled way.