diff --git a/lib/devise.rb b/lib/devise.rb
index 0336ed706..7f83102e7 100644
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -117,7 +117,7 @@ module Test
 
   # Range validation for password length
   mattr_accessor :password_length
-  @@password_length = 6..128
+  @@password_length = 6..72 # max 72 byte for bcrypt
 
   # The time the user will be remembered without asking for credentials again.
   mattr_accessor :remember_for
diff --git a/lib/generators/templates/devise.rb b/lib/generators/templates/devise.rb
index 9fe0ade81..38748b1a9 100644
--- a/lib/generators/templates/devise.rb
+++ b/lib/generators/templates/devise.rb
@@ -180,8 +180,8 @@
   # config.rememberable_options = {}
 
   # ==> Configuration for :validatable
-  # Range for password length.
-  config.password_length = 6..128
+  # Range for password length. 72 bytes max for bcrypt
+  config.password_length = 6..72
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly