Being able to handle it, and being able to handle it efficiently enough are two very distinct things. The hash method might be able to handle long strings, but it might take several seconds/minutes to process them, slowing down the application significantly. Imagine a malicious user being able to set a password with millions (or billions!) of characters.

Therefore, restricting it to a small, but still sufficiently big, number of characters might help prevent DoS-attacks without any notable reduction in security for regular users.

Isn’t it also partly that as processing power increased, you could do more sophisticated compression/decompression in real time compared to previously, allowing these more complex compression algorithms to actually be viable?

I.e. they actually knew how to do it before, they just didn’t have the power to implement it

Podcat