Or not letting people paste into the field.

I just ran into that idiocy when updating mine. Terrible. I generated a new password with 1Password and wanted to paste it in and had to type it in manually instead, twice, plus the old one.

This is one of the more annoying "security features" I've seen. Makes it a massive pain to use automatically generated passwords.

Most likely a VARCHAR(16) plaintext field.

Everybody here loves bcrypt, but you don't hear about how it has a max input size of 55 bytes >:)

There's no good reason the max should be so low, but you should not hurt your users by silently truncating input or exceeding the entropy limit of a fixed-size scrambling mechanism.

Or not.