The program still has to handle the string to take it from the input into the hash function. The bigger the string you’re allowing, the more memory you’re devoting to the program to handle it. At some point, it’s diminishing returns; maybe one person in a hundred will use a 12-character password; maybe only one in a thousand will use a 16-character password; probably only one in ten thousand will even think to use a 20-character password. Do you want to allocate 40% more memory for *every* password interaction for the sake of those 0.01% of users?

The program still has to handle the string to take it from the input into the hash function. The bigger the string you’re allowing, the more memory you’re devoting to the program to handle it. At some point, it’s diminishing returns; maybe one person in a hundred will use a 12-character password; maybe only one in a thousand will use a 16-character password; probably only one in ten thousand will even think to use a 20-character password. Do you want to allocate 40% more memory for *every* password interaction for the sake of those 0.01% of users?