This was the immediate and exact same thought I had the moment I read the first sentence of the post. Then I stopped reading. Clearly this was not an engineering decision, and passwords should be trusted to no one but competent engineers and cryptographers.