262
Largest Study of its Kind Shows Outdated Password Practices are Widespread
(www.cc.gatech.edu)
This is a most excellent place for technology news and articles.
Depends on the limit really, if the limit is 32 characters or something like that, definite red flag.
If the limit is something like 250 or more characters, I'm more inclined to believe it's basic protection from all the things that can go wrong when someone repeatedly POSTs whatever the maximum amount of garbage that your server's request limit allows, at an API that performs cryptographic work.