Any site which has low upper bounds for password lengths is not to be trusted.

Certainly, I agree, but half the web is still that way. Many banking sites even.

I think it's a bit hyperbolic to call it half the web. Only a small handful of sites cap password lengths. They might happen to be sites you use, but it's not nearly as common a practice as you seem to think.

I don't think you're correct. Anyone who's storing a password in plaintext is probably going to use a fixed-width field to do so. I'd bet half the internet stores plaintext passwords. A lot of the web is one-off e-commerce systems that no one should trust anything with.

My bank caps at 12 chars -- silently. I couldn't login until i only typed the first 12 chars.

Are they actually using all that password length, or are they just allowing people to enter long passwords and truncating them?

I've used a system at work that truncates passwords when setting them, but not when checking them. It doesn't fill me with confidence.

The problem is that sites can truncated your password without telling you. Hard to make the call not to use a site if you don't know it is doing that.

I suppose you could attempt to log in while omitting the last character of your password to test against truncating.

True, good point.