If you know, please also provide relevant documentation.
UPDATE (2025-02-02T06:06Z): I did some brute-force testing, and, at least for sh.itjust.works, it seems that the maximum username length is 50, and the maximum password length is 60 [1].
References
- “Sign Up”. sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
- When creating an account on sh.itjust.works, the sign-up form will throw this error if the provided password is greater than 60 characters in length.
It’s possible that Lemmy uses fixed-size buffers for the username and unhashed password. It would be pretty bad to give an unauthenticated user the power to allocate hundreds of megabytes in a shared process.
Not that I read the source code to know for sure, but it’s common practice to reduce the opportunity for denial of service attacks by limiting user input size.