It's a learning curve for us. That's why this kind of feedback is important.

As another person stated, on another question, you didn't really answer why the 16 character limit was imposed in the first place. Is it due to some plugin? You don't think people will remember long passwords?

It's because the password field in their database has a length of 16.

Let's hope they store a (salted) hash of the password, not the password itself.

> It's a learning curve for us. That's why this kind of feedback is important.

Then I would suggest you to look out to the opposite problem, denial of service via long passwords (assuming that you correctly use a slow key derivation function).

e.g. Django now accept passwords with at most 4096 bytes because attackers used gigantic passwords that took a long time to hash

Any decent password manager can generate passwords of any length to use, and XKCD style phrase passwords are not that safe anyway.

I'm using Lastpass. I usually generate 48 char passwords.

Isn't that overkill though? It's not like they're practically (as opposed to theoritically) better than 16 char passwords.

Who can force break 16 char passwords (especially with non-alphanumeric chars in)?

Realistically, I'm not worried about someone brute forcing my password for some one-off site. On the other hand, there's really no technical reason to limit passwords to anything less than 255 characters, so why do it? What if some technological breakthrough enables us to build processors much more powerful than previously thought possible, processors that can easily brute force a 16 character password? Likely? No. Possible? I have no clue, but I'd rather not gamble on it.