Anytime you see a password length cap you know they are not following current security standards. If they aren’t following them for something so simple and visible, you’d better believe it’s a rat infested pile of hot garbage under the hood.

you have to limit it somewhere or you're opening yourself up for a DoS attack

Half right. Designed to be resource intensive to reverse not to calculate. The goal is minimum resources to turn input into a hash and maximum resources to get from hash back to input.

See “Password Hashing” here: en.m.wikipedia.org/wiki/Key_derivation_function

It is actually important to have a controlled cost to calculate in the forward direction too.