That is valid question to ask authors of systems that do not allow passwords longer than 12 characters (or 8, which is another popular upper limit, which can have some vaguely meaningful technical reason for legacy systems).
My old bank required an exactly 5 character password.
They had two factor authentication though, with a phone call or SMS. What happened if you forgot your password? Well you had to reset it, using only phone call/SMS, of course!
Banks are more willing to eat the fraud costs involved with real-world compromised PIN codes than to deal with the customer support for forgetful users.
Our HR management system at work, that manages all payslips and tax returns only allows passwords between 8 and 9 characters, they have to start with a letter, they have to contain one of the following "@", "_", "-", "$", but no other special characters are allowed. It has to contain one number.
It's the most bizzare password requirement I have ever seen and I am pretty sure it's not secure. Have I mentioned it only works in IE and uses ActiveX controls?
This is usually the case but there are frequently short length restrictions even when it's hashed. Sometimes only on the client side too, so you can just remove the attribute from the input.
because a lot of companies have no technical expertise at all.
american express use to enforce insane limits on passwords back in 2010[0]. 6-8 characters for passwords, no special character and had to have 1 letter, 1 number and it wasn't case sensitive. unfortunately _I_ had an amex card.
that page i linked to also has a reply from amex support who shows little knowledge about the difference between passwords and website encryption.
they eventually started expanding that limit from 6-8 characters to 8-20 characters around 2012? 2013?