I wrote a post a while back complaining about the lack of security provided by websites which claim to be secure. A few days ago, my griped because the website for his bank won't allow him enough characters to use his standard high-security level password (you know, the one reserved for financial websites, SQL Server sysadmin, trucrypt, or your personal certificates).
I said, "that really sucks man. Now anybody who has access to that database can look at your password and therefore knows the password for your other accounts." He looked incredulous for a minute, started to ask why, and came to the same realization I had. The only really good reason to limit the length of your password (or the valid character set for that matter), would be if you're storing passwords in plain text. The only good reason to say, "your password cannot be longer than 12 characters" is if the password field in your user table is only 12 characters.
In our applications, you can have any length password and it can include any character that can be transmitted via HTTP post. Why don't we care what you use for a password? Well, that's because our data field is going to be a CHAR(32) or a CHAR(40) and no matter what you send us, we're just gonna salt it, hash it, and store it. There's no need disallow special characters (like ! or # which aren't even all that special) and there's no reason to limit the length of the password.
So, if some website wants you to limit your password (obviously I'm not talking about limiting passwords that are too short or are easily subjected to attack), then there's a good chance that they're storing your password in plain text and you would be fair and just in being upset about it.