It is bad programming. Specifically it is very bad security (especially setting a maximum length - that is just ridiculous). I think websites should not rely too much on passwords anyway. They should be designed under the assumption that attackers will fairly commonly get access to user passwords, and therefore not let someone do too much damage from simply being able to login to your account.

The best way to handle passwords IMO, is to have the browser compute a quick hash of the password, and then the server compute the hash of that. That way the "password" that is being sent to the server is always the same length.

Well we don't know how that website is actually storing the password. They may well be using a password hash. Also, you should use scrypt or argon over bcrypt IMO. And there should be no upper restrictions on password length. argon2 can handle hashing megabytes of data in about the same time as a short password, so there's never a need to limit the password length.

To potentially answer my own question: I believe the protocol I was looking for might have been the dat protocol which seems to have been replaced by something else.

I disagree with the prevailing sentiment here. Meta using ActivityPub is going to help ActivityPub grow an will be good for federated platforms like lemmy, and mastadon.

Lemmy should not block threads.net. Individual users can simply opt out of using threads, but it's good if we can communicate with people using it and they can communicate with us using a decentralized, free, standard.