The actual length of the password isn’t the problem. If they were “doing stuff right” then it would make no difference to them whether the password was 20 characters or 200, because once it was hashed both would be stored in the same amount of space.
The fact that they’ve specified a limit is strong evidence that they’renot doing it right
Fair enough, I didn’t consider compute resources