In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
Sounds like they’re using bcrypt. Feeding more than 24 utf8 characters into bcrypt won’t do anything useful. You can permit longer passwords (many sites do) but they’d be providing a false sense of security.
Bcrypt is still secure enough and 24 characters are fine as long as they’re randomly generated by your password manager.
Do you have a source for the 24?
I can find a 72 byte limit. (Wikipedia, article) That’s three times as many [ascii] utf8 characters I could use.
Utf8 isn’t ASCII. It takes up more space.