Overview#Password Maximum Length is a typical parameter of a Password Policy specifically the Password Modification Policy that deals with Password Quality
Password Maximum Length AttributeTypes#Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length
No reasonable person is going to use a website with a 64-character password limit then turn around and say "this site's security is crap because they didn't let me use more than 64 characters in my password". But just to be sure, make it 100. Or 200. Or stick with NIST's thinking and make it 256, it doesn't matter because it's going to hash down to the same number of characters anyway.
This is really the simplest of concepts: don't have a short arbitrary password length and don't chop characters off the end of a password provided by a user. At the very least, an organizational Entity defending this position should say "we know it's bad, there's legacy reasons, we'll put it on the road map to be rectified".
More Information#There might be more information for this subject on one of the following:
- [#1] - Passwords Evolved: Authentication Guidance for the Modern Era - based on information obtained 2017-07-26-