i was more wondering why a length limit implies anything about how they're storing the password. once they receive the password they're free to hash it any which way they want
random memory—yahoo back in the day used to hash the password in the browser before sending it to the server, but TLS made that unnecessary i guess