If you know, please also provide relevant documentation.

UPDATE (2025-02-02T06:06Z): I did some brute-force testing, and, at least for sh.itjust.works, it seems that the maximum username length is 50, and the maximum password length is 60 [1].

References
  1. “Sign Up”. sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
    • When creating an account on sh.itjust.works, the sign-up form will throw this error if the provided password is greater than 60 characters in length.
  • 1984
    3·
    14 hours ago

    A password max length shouldn’t be needed if they store a hash of it in the db.

    • pivot_root@lemmy.world
      7·
      13 hours ago

      It’s possible that Lemmy uses fixed-size buffers for the username and unhashed password. It would be pretty bad to give an unauthenticated user the power to allocate hundreds of megabytes in a shared process.

      Not that I read the source code to know for sure, but it’s common practice to reduce the opportunity for denial of service attacks by limiting user input size.

    • slazer2au@lemmy.worldEnglish
      1·
      13 hours ago

      It’s up to the UI as to how much data to accept AFAIK. The lemmy-ui will truncate passwords beyond 60. So even if you have a 64 char password it will drop the last 4 and do the hashing on that.

      • Kalcifer@sh.itjust.worksOPEnglish
        3·
        13 hours ago

        […] The lemmy-ui will truncate passwords beyond 60. So even if you have a 64 char password it will drop the last 4 and do the hashing on that.

        At least on sh.itjust.works, it doesn’t just silently truncate the password; it throws an error [1]:

        References
        1. “Sign Up”. sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
          • When creating an account on sh.itjust.works, the sign-up form will throw this error if the provided password is greater than 60 characters in length.