A limit as low as 20 absolutely has its roots in insecure prehistoric password storage policies, even if the implementation happens to have been updated at some point in the past two decades to no longer store passwords in plaintext. As you say, everybody has some kind of limit, if only to prevent DoS attacks, but that limit should be closer to 1000 bytes than 20 bytes.
Yep, just look at the CTA's Ventra system, which came online in 2013. 20 character password limit, but implemented in the worst possible way: only on the web UI, and they don't tell you about it.
Basically, I generated a 32 character password in my password manager, pasted it in, got no errors when I made my account, and could login in Chrome successfully. However, I couldn't login on the mobile app. I tried manually typing, copy/pasting, nothing worked (it doesn't even seem like they auto-lock accounts after 15 failed login attempts...). So I went to change my password on my desktop and noticed it stopped accepting anything after 20 characters. The field silently truncated my password. So I typed the first 20 into the mobile app, and was able to login.
The worst part about this system is that since the mobile app doesn't respect the limit (not sure if there is a limit in the app, I was able to do 64 characters successfully), you can make your account inaccessible from web browsers with a >20 character password (meaning it's not a DB restriction, it's just an arbitrary client-side restriction, and it's even not implemented consistently). I reported this bug last week and got a generic email response, so it probably still works for now.
