Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes. Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.
The new NIST guidance on passwords recommend that:
- passwords never expire
- no required character complexity or variety rules be implemented
- the maximum length for passwords be set to 64 characters
- the minimum length for passwords be set to 8 characters
- passwords are checked against known bad passwords, banned lists, etc.
- no hints or knowledge-based questions be provided to someone trying to log in (like “Who was your best friend in high school?”)
- passwords only are changed when forgotten
I would add two-factor authentication to that. Where possible, my online account passwords are sixteen characters or longer. I change them after notification of a data breach or in some cases, once a year. Where feasible, I have enabled two-factor or two-step authentication for my accounts. Even on my iMac at home, I have a 24 character password. I use a different password for each online account. I use a password vault application such as 1Password or LastPass to track my passwords. I protect the password vault with a sixteen character password that I don't use anywhere else.