Every time I see a registration form limit the character count or the special characters, I just assume they're stored in plaintext and the developers don't know the first thing about security.
I sincerely hope you're using something like Argon2, or ar least BCrypt.