Right, that’s why I put the “within reason” in my comment. You still need to guard against malicious inputs so ultimately there is some max length limit, but it should be way beyond what a reasonable password length should be.