I've seen worse. There's a UK company called The Train Line ( http://www.thetrainline.com/ ) that handles money, and limits passwords to 10 chars with no punctuation characters.
As far as I can tell, it's checked on the server side too. But I might have another go at it tonight to be sure. The worst that could happen is that I get a longer, more secure password ;)
The worst that can happen when you mess with form field lengths: no validation on entry to the database, but validation later when pulling it out to check it, so you're now locked out of your account.
Interesting, I didn't know that. So the worst that could happen is that I'd be locked out of their horribly insecure site and forced to use something better. I don't re-use passwords, and I declined to let them store my credit card details, so when they get hax0red, I won't lose anything worth stealing.
It's possible the server will let you set the password to something longer than 12 characters but nott allow you to log-in with it. It's apparently happened on sites before.
