That could either mean they want to limit DDOS traffic caused by absurd long passwords, but unlikely.
Or they store your passwords in plain text instead of a proper hash value in their way to small fields in database.
A more absurd possibility would be if they limit characters because they send the form by GET instead of POST and everybody could see your password in the URL (e.g. in all logs).
Security nightmare in any case.
That could either mean they want to limit DDOS traffic caused by absurd long passwords, but unlikely.
Or they store your passwords in plain text instead of a proper hash value in their way to small fields in database.
A more absurd possibility would be if they limit characters because they send the form by GET instead of POST and everybody could see your password in the URL (e.g. in all logs).
Security nightmare in any case.