bcrypt is has long been regarded as the "best" secure hashing function, and it limits input passwords to 50-72 bytes. Assuming utf-8 input a character can plausibly be 4 bytes, which turns 72 bytes into 18 characters max.
It looks like Argon2 is newer and doesn't have a max length but still it's likely most sites are using bcrypt.
There's also a kind of handwavy "more than 20 characters is likely to be malicious input." Which is a little bit of a cop out but also probably true in general.
It looks like Argon2 is newer and doesn't have a max length but still it's likely most sites are using bcrypt.
There's also a kind of handwavy "more than 20 characters is likely to be malicious input." Which is a little bit of a cop out but also probably true in general.