That doesn’t help if someone got a list of their hashes somehow. Then an attacker can use their own system to crack them.

And that’s if they aren’t just storing the passwords as clear text to begin with, which length limitations are often a sign of.