Any user input needs to be filtered, sanitized, validated and limited.
Please be my guest and pass any user input to your magic hashing function, don't cry about it later because due to some special circumstances / framework bug / language bug / buffer overflow / extra hidden utf char, your magic function opens a huge security hole. oh oops.
Um what? If your hashing library hasn't been tested with a arbitrary sequences of bytes you have bigger problems than limiting user input to 12 characters.
Okay, fine. But why limit to 12 characters? My email address isn't limited to 12 characters when I sign up, and it's probably limited and validated too. The fact that something needs to be validated does not justify annoyingly strict limits. Allowing 64 characters is just as easy as 12.
