Practically every bank I do business with has these limitations. By contrast, my gmail password is 24 characters long, and contains capital and lowercase letters and punctuation. It makes me wonder what their back-end systems look like that they can't handle passwords longer than that.