Why do some sites enforce low-security passwords?

I get that what comprises a good password is a bit of a moving target and not everyone agrees – just run a password through a number of checkers to see how it is rated differently depending on the criteria.

But a couple of things seem like safe bets and are widely acknowledged – length (as a method of achieving entropy, famously covered here: https://xkcd.com/936/), and size of character set, which doubles the number of possible combinations with each additional character.

So WHY DEAR GOD do some sites insist on limiting passwords to 8-16 characters, and/or disallow special characters? One example is WA state’s GoodToGo toll road website, which does both.

This feels like it’s one of three things, two of which are bad:

  1. Developers using antiquated frameworks that impose this last-millenium restriction;

  2. Developers still subscribing to the theory that long passwords are bad because they are hard to remember;

  3. Some cutting-edge understanding of password security that makes this an actual best practice that I have just never heard of and can’t comprehend.

I’m hoping that this is just fading away, but I keep running into it. We need a public shaming site that lists sites that do this, to force them into adapting reasonable password form practices.