This is a display artifact. The password length is not limited to the number of mask characters that can be displayed distinctly in dedicated password input fields. The data type into which encrypted passwords are written in the underlying Smarts NCM PostgreSQL Control Database is BYTEA (a byte array), which effectively places no significant limits on the length of a valid password stored in Smarts NCM. Similarly, the Smarts NCM interface password field can accept a far longer series of characters than it is able to display.
To overcome the display artifact, simply continue to key any additional characters into dedicated password fields as needed, even after the password field appears to be visibly full.