Why impose limits on passwords?

Rule of Diminishing Returns.

A longer password does not necessarily provide for more account security if the average password user remains lazy in their overall security. At some point, password length and complexity forces too many to adopt a lazy approach for security of the password itself. At the same time, password forgetfulness increases, requiring system administrators to create easy tools for changing a forgotten password, again, and again, and again. At some point the, users will say fuck that and either abandon the account (if they can) or maintain easily available cheat sheets where they write down their accounts and passwords, thus defeating the actual intent.

Password length is about social engineering. It’s not a technical limitation.

What I would prefer to see is an international standard governing rules and character set.