A 20-char password limit makes sense in one setting: When the password is stored as fixed length plaintext in a database. This is a really, really bad sign to see with a payment processor.

Possibly a holdover from the old, bad days of storing passwords in plaintext in the database, somebody said "nobody's going to need more than X characters," and it became a hard limit.

And then, later, when we all switched over to storing hashes instead of storing passwords, the idea of character limits never got quite all the way to the front end. (I'm working on a system right now that has a 35-character password limit. Granted, it's for mobile phones, where typing that much is a huge pain.)

Seriously, get rid of that limit - not all people type their passwords manually.

For instance, I have an online password generator that does a HMAC_SHA256 from a key + the domain name. I don't have to type the result - I just copy/paste !!!

I also get pretty annoyed when the validation in place asks me to also put an upper char or a number in it - as if a 15 chars password like that is any less safer than a 70 chars password that's made of only dictionary words + padding, which would be easier to remember but a lot harder to brute force.

Seriously, password validation these days is totally screwed.

Over-validation. There's a setting called "length" there... Sure, it's technically optional, but it's calling out for you to put in a safe, sensible number like 20.

     it's calling out for you to put in a safe, 
     sensible number like 20

Safe for whom?

It's very easy to have a password that's a lot longer than that - you can learn a poem or something. And such a password will be a lot harder to break than an incomprehensible 15 chars password that has at least one lower char, one upper char and a number, a password that you could otherwise forget.

Also, personally I have a password generator that produces passwords of 32 chars. I don't have to memorize it because I don't have to. I don't have to type it either, I just copy/paste. Nothing gets stored locally either, I just generate it every time I need it.

Plus there's also the usability issue - I had to find out by myself that the maximum length is 20 by trial and error. That's fucked up.

Okay, but I think you're missing my point. There's no reason it has to have a maximum length, but the database has the capability, so as a developer you feel an irrational pressure to put some number in there. Of course any maximum is going to be a problem for someone, whether it's 8 or 128, but you don't think about that-- you just put something reasonable like 20 and move on.

If you're hashing the password (like you're supposed to do), then all password hashes will get stored with a fixed length, so the actual passwords that people use could be an entire novel of 600 pages, as long as bandwidth for uploading it or the server's processing power doesn't become a problem.

The result of a hash function you would use will be something like 64 chars for SHA256, 128 chars for SHA512 and 60 chars for bcrypt - and that's the only permanent storage you need for storing a password. 20 chars is not reasonable. A reasonable size would be at least something like 128 chars, to allow people to give hashed passwords managed by external software, instead of real passwords. And you can trim hashes to 20 chars, but 20 chars can be brute-forced much more easily.

For instance, if you find the password for one of my websites (I use 32 chars, which seems reasonable even when copy/pasting doesn't work), it would take you years and years of processing to find my master key for generating the passwords to my other websites - so basically I have the same password all over the place, HMAC-ed with a salt specific to each service/website. The password itself is long but easy to remember. The algorithm for hashing is very sound, for now at least. Brute forcing it to find my key for all websites is for all practical purposes unfeasible.

Sorry, s/database/text field/. The box is only 20 characters long, why would someone need more?

Look, I understand what you're saying. I'm not saying this is right, I'm saying they just don't think. Security gets confused with validation, so they just put in a number and move on.