I was just about to post this exact same thing. I even have some that prevented me from having a longer user name, I think I was limited to something like 12 characters. I don't understand these limitations, I don't know what system they are using that require it or if they just have a bad system design.
The username and passwords are stored in SQL databases and fields have a limit. For usernames it's a bad decision to limit at something so low as 12 characters but it's acceptable, having a limit on password size usually means they are storing it in clear text instead of hashing it and storing the hash, which is really really bad.
Yeah, but I would expect that they have the hardware to increase the field size. It's a simple as changing the field definition ex. varchar(25) instead of varchar(12). For password length limit is it possible that they are using tokenization? I am assuming not, and that it is simply plan text, or they check length first then hash.
True, I was implying that the reason they limited it was because they didn't have the hardware to support the total number of end users but that's because I was being generous to the developers. In reality you are most likely correct.
[This comment was removed]