I don't get why passwords ever have to be within a certain length, it just makes it obvious that they're not hashing it. I had to pick one between 6-10 characters (with no symbols) for my Visa securecode the other day.