We are in 2011 after all, so seeing an error message that a password is too long is… well embarasing.
So, given that passwords shouldn’t or should I say must not be saved in a way that enables anyone (even administrators) to retrieve the plaintext version of a password, we’re talking about some sort of hashing. Whether hashing algorithm it is MD5 (avoid) os SHA1 (and in order to avoid precomputed hashes of passwords (known also as rainbow tables) you should use salting techniques with hashing algorithms), the length of a calculated hash does not depend on the length of the plain text password.
So, why is the length of the password limited to 16 characters? Beats me.
Of course, I recommend developers to use bcrypt instead of SHA or MD5. Bcrypt is very slow (compared to SHA or MD5), which is a good property to have for checking passwords — you don’t want to have a super-fast hashing/crypting algorithm thus effectively preventing brute force attacks.