There's a type of attack where you put absurdly large inputs into fields that perform expensive calculations, like password hashing... So imagine 100 computers spamming the login form with the whole Bee Movie script 10x per second (which would be a pretty small attack)... Cheap to send, expensive to process. As others mention, the storage should be cheap, because the hashed version of the password is all the same length.
So it makes sense for apps to have SOME upper limit... But it should be like 64 or 100 or 128 or 500 or something. 12 or 16 or 20 is just obnoxious.
It's not that it does NOTHING to improve security... An 8-character password with more options per character IS more complex (and in that sense, secure) than one with fewer.
It's just that adding more characters (e.g. in a passphrase, as per your example) also increases complexity, and is more usable.
But you forgot the rule where it couldn't be more than 12 characters long, so you didn't try the correct variation until the validation error for the password reset told you what the rules are.
Seems like a cool concept that they just didn't execute super well.
Like having two behavioral simulations (cast simulation interacting with props you place, and audience simulation that reacts to where you place the camera's attention) that you need to navigate sounds cool, and bound to lead to some interesting and funny emergent experiences... but it sounds like the implementation was just undercooked.
I'd probably still give it a try on sale or something but g o d d a m m i t does that Corporate Memphis art style rub me the wrong way. Lmk when the San Andreas texture mod drops though.
It's pretty good. But it isn't the greatest song in the world.