If you’re going to limit your password field to 12 characters on your login page, you should probably also limit your password field to 12 characters on your registration page.
Related: As a general rule, if you’re going to have criteria for passwords, it’s probably best to let the user know that.
That way you don’t have someone who uses a password manager–like me–input a random 16 character password during registration, only to immediately have to use the “reset my password” feature because I can only put 12 of my 16 characters in the box.
Why do so many web-based systems have such a pathetic max password length anyway? Is there perhaps a default strlen in apache/tomcat or something? What really blows my mind are the ones that require a minimum of 8, a max of (12, usually), and (insert other, stupid condition, like not starting with a number). It’s obvious they’re doing it wrong with regards to password storage.