[LinuxBender]

I can't explain the artificially low restrictions some banks have beyond using outdated tech or poorly designed database schemas. If I had to guess it could having an upper limit based on some formula consisting of average number of registering users combined with hashing CPU cost. That is why OpenSSH has limits on how big of a RSA public key may be accepted. It was set to 32K, not sure what it is currently set to. Unlimited would be a DDoS vulnerability and could potentially get a CVE unless some other mitigating control were in place. But I don't know if that same logic is being used for password hashing and limits, it's just a guess. I could also think of a dozen ways to mitigate such risks and I am not a developer so maybe its something simpler like the answer for crypt [1] answer was reused for this topic, was originally used for crypt using DES. I've been that chimp.

[1] - https://security.stackexchange.com/a/33471