When you create an account on a website and you set up a username and password, the website should never store your password. Instead, they should store a "hash" of your password, which is a kind of fingerprint of it. A very basic (and insecure) version of this would be something like converting each letter of your password to a number, e.g. A=1, B=2, C=3, etc, and then adding up the digits. So my password of "apple" would be 1+16+16+12+5, which is 50. The website then stores your username and this fingerprint of your password in its database. When you return to the website to log in, you type your username and password, and the website puts your password through the same algorithm as before and checks whether the fingerprint of what you typed in is the same as the fingerprint which is stored in the database, if they're different then the password must be wrong.
Obviously my "algorithm" of converting letters to numbers and adding them up is massively flawed in that there are a lot of different passwords which would all have the same fingerprint, but it demonstrates the idea, which is that:
- Given the value of the fingerprint (hash), you cannot know what the password was.
- Changing any of the characters of the password will give you a totally different hash.
So that is why a website should never need to store your actual password. And hence, it should never be able to send you a password reminder, because it shouldn't know what your password is. If a website can send you a password reminder then it's built by cowboys. Delete your account, and run away.
Resetting It Is DifferentInstead, most websites provide a way for you to reset your password, usually by sending a unique link to your email. They deem that you are the only person with access to your email (a dubious assumption), and usually the link will only work for a short period of time.
The reason why this is so different is that (although it's based on some questionable assumptions about email security), it safeguards the site against a mass leaking of passwords. If the website is storing the actual passwords and their database is stolen, then every account on that site is now in the hands of the attackers. But if the website is only storing the hashes, then even if someone takes a copy of the whole database, they still can't log into any of the accounts. And managing to break into someone's email to abuse the email-based reset functionality would hopefully only compromise one account at a time, not the whole lot in one go.
The algorithms used for password hashing usually have the characteristic that the fingerprint output will always be the same length, regardless of the length of the input. You could input a single letter, or a 3GB movie file of your wedding video, and the fingerprint would still be the same length. It's usually 32 characters, like this: d41d8cd98f00b204e9800998ecf8427e.
This means that websites shouldn't need to limit the length of your password, because they're only ever storing 32 characters. If a website has a maximum password length, then it's a sign that maybe they're storing your actual password. Write and complain, publicly shame them on Twitter, or use another site.