The following list of sites, which is far from incomplete, should be ashamed of themselves for bad security policies:

• Marriott Bonvoy (20 char cap) https://www.marriott.com/loyalty.mi **
• StubHub (20 char cap) https://www.stubhub.com/
• PayPal (20 char cap) https://www.paypal.com/

Justification: I realize that a 20-character password is far more secure than what 99.99999% of the population use on a daily basis. However, this is just plain lazy. To put it into perspective, altering an SQL database password column from 20 to 128 could be as simple as this:

ALTER TABLE users MODIFY password varchar(128);

This would allow any encrypted hash to be stored, without consideration of characters. A sane limit to the number of characters, in my opinion, is 128.

There’s an interesting post written on another blog that talks about password cracking. Estimating Password Cracking Times

** SPG allowed up to 64 char, but after the August 13th, 2018 program merger, those with stronger passwords were required to significantly downgrade their security