We need to define a theoretical limit. How about we use the constant PHP_INT_MAX and use that as the theoretical max?
Depending on the architecture maximum value would be -
32-bit builds of PHP: 2,147,483,647 (~ ± 2 billion)
64-bit builds of PHP: 9,223,372,036,854,775,807 (~ ± 9 quintillion)
@blueelvis since there will be other limits hit before we hit the 32-bit limit.. I think it's not needed to put in the limit and we can simply accept all strings as they come (while still enforcing the min password length)