I can see no reason for account passwords to be limited to 20 characters — this makes using more secure passwords (such as those generated with diceware, for example) infeasible and worsens overall security.