Why do some websites and programs restrict password characteristics?
I think the reason is the same as for any other input validation; to make sure it doesn't cause any problems during processing and storage. Now, for passwords this is of course completely misguided since they should be hashed and therefore neither stored nor really processed in cleartext.
I'd take any such limitations as an indication that the developers don't know what they're doing securitywise, and are probably going to store the password in cleartext. Stay away.
I'm going to go with: the same old reasons people do strange things.
Because it seemed like a good idea at the time. Developers might be well-intentioned but poorly informed. There's no need to limit password length, but maybe developers aren't aware of that. Maybe developers didn't even think about it.
Because it was easier than the alternatives. Maybe they are using an API that can't handle arbitrary-length passwords; that might make it easier to just limit password length than to use a better API. Maybe they have SQL injection flaws in their database, and rather than coding things properly to avoid the SQL injection flaw, it's easier to just blacklist some characters (e.g., forbid users from including single quotes in their passwords). Maybe for some reason it was easier to use a fixed-length array than a variable-length string. Who knows.
Bottom line: there's no really good justification for such limits. I'm sure we're used to the fact that commercially available software often contains all sorts of strange design misfeatures. It happens. It's a fact of life. It's a consequence of the fact that "good-enough" is a lot cheaper than "perfect".
A rational reason for limiting password length and possible charset is to prompt the user into applying proper password management techniques. In plain words, if a password is huge or full of weird characters, then this increases the likelihood that the user will write the password down on some piece of paper (traditionally glued under the keyboard) and/or reuse the same password into several systems.
Conceptually, how the user manages his own passwords are his responsibility, and none of the website business. But, in practice, users are security-wise clueless and cannot be bored with anything which does not have an immediate retribution (especially when users are potential customers). So it is up to the website to try to do what it can in order to protect the user.
Note that I do not claim that trying to enforce good password management is the reason why any given site limits password length; it is just a reason why I would envision a password length limitation on my own site (if I were to manage a website with user passwords).
Another rationale for limited allowed charset is to promote interoperability: preferably, the user should be able to type his password on a wide range of input devices. Non-ASCII characters are not good for anything which looks like a US keyboard (it is possible to type non-ASCII letters on a US keyboard, I do it all the time, but methods vary depending on the operating system and configuration, and do not work well with blind typing as is customary with password entry). Smartphones have even greater restrictions. There again, interoperability is (in my view) a good reason to enforce a limited charset, but many websites will have such a restriction for bad reasons (e.g. so that the password can be carelessly dumped into a SQL request without proper string escaping, something which can only be described as sloppy engineering).