RealVNC (authoritative) is currently 255 characters. Older legacy implementations may still be 8.
RFB protocol itself is agnostic[0]:
VNC authentication is to be used and protocol data is to be sent unencrypted.
The server sends a random 16-byte challenge:
No. of bytes Type [Value] Description
16 U8 challenge
The client encrypts the challenge with DES, using a password supplied by the user as the key, and sends the resulting 16-byte response:
No. of bytes Type [Value] Description
16 U8 response
The protocol continues with the SecurityResult message.
Having had to implement VNC authentication a while back, I can assure you that it is not agnostic, and you have inadvertently revealed the reason for that in your own post.
Since the user password is used as the DES key, and DES key size is limited to 56 bits (plus 8 parity bits), your key can only be up to 7 8-byte characters long. However, since ASCII only uses 7 bits, you give an 8 ASCII character key instead, and the unused 8th bit of every byte is simply discarded. If the password is shorter than 8 characters, it's just padded with zeroes.
Many VNC clients and sometimes even servers allow you to enter a longer password, but as long as they're connecting to a the standard auth implementation, they'll actually truncate your password to 8 characters during operation. Yes, even RealVNC's client does that when only the standard auth is possible. It will warn you that the connection is not encrypted, but it won't let you know that your password just got slashed.
Defining alternate authentication schemes is possible, but require VNC clients to add support for those. RealVNC has simply defined one of those. So everyone should just implement that right? I think you'll find out the reason why the standard auth is still so prevalent if you spend some time trying to find any implementation documentation for it.
RFB protocol itself is agnostic[0]:
VNC authentication is to be used and protocol data is to be sent unencrypted.
The server sends a random 16-byte challenge: No. of bytes Type [Value] Description 16 U8 challenge
The client encrypts the challenge with DES, using a password supplied by the user as the key, and sends the resulting 16-byte response: No. of bytes Type [Value] Description 16 U8 response
The protocol continues with the SecurityResult message.
[0]: [pdf] http://www.realvnc.com/docs/rfbproto.pdf