In order to get that hash you'd have to process the password in its entirety. But really, if they're that concerned about the buffer I see no reason to cap it at 8 or 10 rather than 1000.

Eh. That seems unlikely, assuming you're not writing your own routines. At most you'd get an out of memory error. I can calculate the SHA1 digest of a 1Bn character string without running into that problem.

So let's cap the length at 100k characters and call it a day.