Anytime you see a password length cap you know they are not following current security standards. If they aren’t following them for something so simple and visible, you’d better believe it’s a rat infested pile of hot garbage under the hood.

you have to limit it somewhere or you're opening yourself up for a DoS attack

Half right. Designed to be resource intensive to reverse not to calculate. The goal is minimum resources to turn input into a hash and maximum resources to get from hash back to input.