I was once told it was to prevent DoS-ing the back end of the system by submitting gigabytes to hash...

the check was an HTML input limit and there was no backend limit...

I was sad.

Maybe the interface expects an 8 character password even if it's hashed on the backend. Maybe it's hashed by something that expects a certain length because it's using a silly algorithm. Maybe not all systems use hashed passwords. Hard to say from the outside, but in my experience it's usually not because the developers were stupid or ignorant.