The issue began on the password length, when there has been an announcement on the eBay administration that the fixed password they would be accepting is 20 characters. There are some speculations due to security defect. So, at this moment, let us dig the deeper cause of needing a lengthy password.
Algorithms on Hashing
A good example is the MD5, not so long ago, MD5 is known to be famous on hashing algorithms for web sites; Still, they experience secure algorithm when it comes to space in the following years. As larger companies processing large distributed networks on custom software, it is not that easy to upgrade the whole system to be able to use a new hashing algorithm. It may take months to years when modifying code to several systems.
Optimization of Software
When the software is in C language and it has a hash-passwords of variable length, can you know the length of the password? Using the C, the end string is usually defined by byte 0x00 or the null byte, the length of the string is known through an application that will count the string of each byte until it reach the null byte (and this is a slow process). To process these commands quickly, limiting the passwords to a specific length, so all the passwords are just equal or less than the length (with a pre-defined byte). For this, it only needs a fixed buffer length to handle it and will not worry about anything else.
When a software is stored in a database those plain-text passwords, a limit on the length is really needed, so it would be easier to manage and will increase in speed when every field of each row are in fixed-length.
Problem on Ape Condition
This situation is all about the 4 apes in a metal cage and banana hanging on a string from the roof. Whenever an ape pulls a banana, it triggers an electricity and shock all the apes. These apes will learn, that touching the banana will electrocute them. When you take one ape out of the cage and put a new ape inside the cage, the new ape will touch the banana and it will result in beating down from the other apes. If you continue to swap the apes, this goes on until none of the apes were there from the start. The result will be a group of apes beating those apes who touches the banana, although no one knows the real reason for it.
In the community of programmers this has the same pattern. Not so long ago, because of the hardware and software limitations, there were several reasons for passwords limitations and less reason to have long passwords. These reasons became unacceptable over time, however, some programming remain to practice the limits, for there are other people who still do it.
The Meaning of Alternate Security
There are people who have problem typing long password correctly, and this could happen. The credit card pin has a 4 digit pin, as you know, where many wouldn’t find hard time to type correctly. So if everyone has a limitation of 4 digit pin, there is a small chance of mistyping the security code. This is where the system allows to implement harsh security where 3 failed attempts can lock your account.
Take note that this type of security is carried out to systems that password hash database which have little chance to be leaked or broken database will not compromise massive accounts.