Appendix A.2 - rationale for limiting password length

[si-chan]

The Appendix currently states in section 2: "Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit."

The excessive hashing time, whilst of concern to the CSP, is probably not the main factor preventing arbitrarily long memorised secrets (passwords), since the user must firstly memorise such a long password / passphrase and secondly, enter it somehow (presumably through a manual input mechanism). The example given of "megabytes" is unreasonable given these human constraints.

Consider revising the language to reference the number of characters rather than total information storage required, as this is more human-context terminology.

For example:
"Extremely long passwords (perhaps several hundred characters in length), could conceivably require excessive input time by the subscriber, or consume excessive resources at the CSP to hash the password, so it is reasonable to have some limit."