What are the main practical reasons behind setting characters limits on HTML text input fields?

Question

Like in text field for writing post or login/password field for typing login credentials.

As an example, there's question on SO: Should I impose a maximum length on passwords? in which users like @epochwolf, @tardate or @kravietz imply that input length limits are security warning, because i.e. it's makes harder to create stronger passwords.

OTOH @Jason Dagit writes, that text input field without any limits allows potential attackers to make DoS attacks, using hugely long strings in inputs - but url limit can be imposed on server-side.

Also I've read about backward compatibility with legacy systems, that impose short strings values in form for it's users.

Even HTML5.2 Forms specification - The maxlength and minlength attributes says nothing technically specific about this problem.

Could anyone shine some light on this problem?

Answer 1

It makes sense if there's a business rule that limits certain values to certain lengths. It's immediate validation that a certain value cannot be correct if it is too long. Things like package tracking codes which follow a specific format and cannot be longer than a specific length. For other arbitrary data it makes sense if the underlying database or other subsystem limits the length to a VARCHAR(255) or such, then it makes no sense to even let the user type in anything longer. It is debatable why exactly the database would impose such limits, but some limit will and should always be there as long as it's reasonable.

It makes no sense for passwords, which should always be hashed and thereby reduced to a fixed length, meaning it doesn't matter how long the original input was.

It makes no sense as defence against DoS attacks, since an attacker wouldn't be using an HTML form field as attack vector but would instead be directly forging arbitrary HTTP requests. And as you said, the web server would be imposing some maximum request size beyond which it simply drops the connection.

Answer 2

It helps to protect your website if there is an unknown vulnerability, for example if you need for say 30 characters of a java script piece of code to hack / exploit the website but your character limit is set at 25 it would offer some protection.