If the passwords were not salted and hashed, they have major problems. Anyone not doing that in 2019 should be fired for incompetence.
If the passwords are salted and hashed then what is stored is the hash which is a fixed length. Therefore imposing an arbitrary password length limit is completely pointless. You need some limit on buffer length and calculation time, but 20 characters?