…but inconsistency sucks even more. Check out the American Express login form:
When you sign up for web access, password length is limited to 7 characters, which is a quite bad design decision in itself. What if I have a scheme to generate 10-character long passwords? Why on Earth can’t I use it?!
But this particular system sucks even more: in the log in form, the password length is not limited. Once I forget that this particular web site does not accept passwords of my usual length, I won’t be able to log in anymore: I’ll keep trying my regular password technique again and again, and it will fail over and over. If you limit the password length you should at least do it consistently, so if I enter a longer password when registering and have some characters thrown away, it would be nice for the log in form to do the same. This way your strange idea of limiting the password length would at least be transparent to me.