I think the idea is that if you want to find THE 16 character plaintext it takes 2^128 operations. The new vulnerability means you can find an equivalent (but longer) plaintext in 2^40. So if you limit the password to 16 characters then a longer plaintext with an identical hash is no use. That said, I could be completely wrong about the vulnerability always producing longer strings.