Passwords "must be between 8 and 20 characters". 20 is too few for a decent passphrase.
There should be no need for such a low upper limit
it won't take any extra space in the database since all password hashes will be the same length
if the speed to generate a hash is an issue, surely it would only become so at something over 100 characters.
Observed this on password reset form in translate.zanata.org
Agreed. Limiting to 20 characters is not great.
Good point. See https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Length
We need some sort of limit to make sure the hashing doesn't lead to a denial of service attack, but I think we could to afford to hash, say, 1024 characters.
Sounds reasonable to me.
Sounds reasonable to me.