Some people deride it as "C programmer mentality" when fields have a fixed maximum size. I too used to think having no limits at all was the best approach in most scenarios. But for many user input data, there is a point at which a longer value is complete nonsense. The 4096-character password length limit Django will now employ seems quite a bit longer than absolutely necessary; hopefully it sufficiently addresses the bug. As for the choice of 4096, well, I would have chosen 4000 (or 1000) simply because it's more comprehensible from an end-user perspective.<p>When designing such systems, also consider that users sometimes accidentally copy-paste entire documents into text fields--given the number of users Django has, if a site has no input-field length limit, it's downright likely that someone will eventually paste a megabyte "password" in there with no ill intention.