The easiest answers I can intuit are a) space concerns and b) passwords being stored unencrypted. I reckon point a is valid because malicious users may attack the provider with very long passwords via creating bogus accounts, to disrupt the service; and b is valid because if the developers are lazy enough to store unencrypted passwords away, likely they are to defend against injection attacks via disallowing characters like (').