It's an incorrect implementation, the same as when eg an account provider truncates a long password to 8 characters.