While finding an answer to a question regarding the max allowed webserver password length in Tasmota (arendst/Tasmota#9587) I stumbled across a hard limit of 47 characters.

The HTTP Basic Authorization userid password as used in ESP8266WebServer-impl.h uses function base64_encode_chars to encode the userid:password. This function inserts linefeeds/carriage returns every 72 encoded characters as defined in cencode.h (#define BASE64_CHARS_PER_LINE 72).

In the case of Tasmota, where the userid is fixed set to admin, this allows for 47 characters in the password. Any more characters will insert a linefeed which isn't available in the HTTP request header.

As an example if a user uses a password of 12345678901234567890123456789012345678901234567890 it results in an base64 encoded string like

YWRtaW46MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4
OTA=

so with a linefeed after ..Njc4. The HTTP request header contains:

Authorization: Basic YWRtaW46MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTA=

The compare using function authReq.equalsConstantTime(encoded) will fail caused by the inserted linefeed.

As a possible solution I suggest to replace function authReq.equalsConstantTime(encoded) by a function discarding any control characters in the base64 encoded string before comparing.

EDIT: It works fine on the ESP32 as there the linefeed is not inserted in the base64 encoded data.