Newsweek is particularly bad with this. According to them, Trump “loses it” or “explodes” every time he makes a critical comment about someone else

Such a small max length is a good indicator they aren’t handling passwords correctly. A modern website should be able to send and hash kilobytes of text without the user seeing a significant delay. Having a max size like this sounds like they are storing the password as text instead of a hash.

Or some dumb project manager said passwords longer than 24 characters look bad in the UI and wanted the limit.