Passwords "must be between 8 and 20 characters". 20 is too few for a decent passphrase.
There should be no need for such a low upper limit
- it won't take any extra space in the database since all password hashes will be the same length
- if the speed to generate a hash is an issue, surely it would only become so at something over 100 characters.