Exactly. Limits only become reasonable when they're meant to stop you from uploading hundreds of megs worth of data and monopolising resources. A 1kb password or even a 1mb password supplied by a tiny fraction of a percent of users is not going to make an impact on you, but can provide that small group of users with a massively increased piece of mind.

"I've never understood why sites limit password length. You're (hopefully) hashing it anyways; the length of what the user enters has no bearing on what you're storing in your database."

What if they upload a GB or TB binary as password? I've always wondered but nobody told me if there's some inherent cut-off that would prevent such a DoS attack.

33 characters (and I often see less) is a far cry from a gigabyte. I think it's clear I was talking about unreasonably low limits.

Exactly, such anti-abuse limits would start at, say, 256 characters. The amount of banks and services that limit their passwords to 20 characters or fewer is startling.

I've seen even worse than that - for low-importance passwords I normally record them in a mail-to-self memo then paste them into the signup form. I recently encountered one site that silently truncated the pasted password.

While silent truncation is of course bad because it limits the potential entropy of a password, if implemented consistently it's technically not any worse than a limit that's presented to the user. But just wait until the new hire doesn't know about it and implements a form without it, and then all of the sudden users are entering the same "long" passwords they always have and scratching their heads when it fails.

Because more than 33 characters would take too much space, duh.

I was talking about maximum password lengths, not minimums.