Passwords are limited to 20 characters.

Passwords "must be between 8 and 20 characters". 20 is too few for a decent passphrase.

There should be no need for such a low upper limit

• it won't take any extra space in the database since all password hashes will be the same length

• if the speed to generate a hash is an issue, surely it would only become so at something over 100 characters.