Could you elaborate a little bit on this? I'm not familiar with mainframes, but genuinely curious what specifically would cause this?

Some financial systems, a large number of which run on mainframes, have databases where all fields are fixed length. (A database with fixed-length records is trivial to access randomly.)

One of my credit cards lists my name as "Christophe" rather than "Christopher" as they have a fixed-length 10 character field for first names. Customer support said it was unfixable.

It only takes one such system, in a complex web, to impose that limit on all systems.

A similar thing happens to me when I fly. My boarding passes usually truncate the middle name field which in my case (typically) results in the name of a religious figure rather than an uncommon or obviously truncated name.

This has never been an actual issue (or even commented on), but another middle name discrepancy has. Back in high school, there were some issues with my name on my state ID not exactly matching the school's entry for me.

At least American Express automatically changes "Christopher" to "C" so your first name is abbreviated rather than just cut off.

It's possible, but this explanation still implies they're storing the passwords, not the hashes.

Think more along the lines of "they once had a mainframe in their infrastructure which stored passwords instead of hashes, which caused their requirements to limit the length of passwords to 20 characters, even if that system is no longer in use, or now uses hashes."

Sure, but that means that currently there's no reason to have the limit, except that they don't want to invest any effort to change it.

This is a very likely answer. Strange that it is downvoted.

Eh. No worries.

I expect a relatively small minority of the HN crowd have exposure to decades-old mainframe systems.

It seemed a plausible rationale, given the state of the world ~2000 when PayPal was ramping up was very different.

Especially in the financial sector, I can see partners and/or requisite systems to interface with being heavily mainframe-based.

And now, even if PayPal is following best practices, it's possible one of their counterparties is stuck in the 1980s. People forget that "building Fort Knox around a private line from X DC to Y DC" is sometimes cheaper than "rewrite COBOL system of record that no one alive worked on."

My experience with multiple identity systems matches the mainframe or mainframe era explanation. Old systems had to draw a line. So they did. And those lines still ripple like waves through modern systems even now.

"Mainframe" doesn't seem like an actual answer to me. Why can't mainframes handle passwords longer than 20 characters? Are mainframes incapable of doing password hashing? Can't modern databases have text fields with a max of 20 characters, why is that problem unique to mainframes?