The website appears to have a very small maximum password length.
This typically indicates that the password is stored somewhere, either in encrypted form or in plain text. Neither of these options represent best practices.
The best practices for the past few years has been to store a salted password hash, rather than the password itself. This allows passwords of arbitrary length (though commonly restricted to a sane length - usually in the order of 100 characters). Commonly these passwords are actually passphrases.
There is also authentication schemes like OpenID that may be a better alternative that rolling our own.