[pferde]

If you are using a password manager, then a (good) longer password is basically extra safety for literally zero extra price, so why not? What does it matter if you are copypasting , or letting the password manager autofill, twelve characters or fifty?

[slazaro]

The GP comment gave a reason: some websites might misbehave with longer passwords, so it's not actually free.

[pferde]

But that's a self-defeating attitude. If you are going to defensively assume that websites are broken in this way, the only logical conclusion is to limit your generated passwords to something ridiculously conservative, like six characters.

In my opinion, it is more reasonable to assume that most websites will behave correctly with even longer passwords, and solve the odd misbehaving ones on a case by case basis.

[gruez]

But if 16 characters is already secure for the foreseeable future, why bother risking it for negligible gains in security?

[pferde]

That's something each of us has to determine for themselves.

I haven't yet, in my many years of "being on the web" encountered a single website with the truncated password problem described above, so for me, it's a weird statistical anomaly to be ignored.

If you have been burned repeatedly by some such websites, you will have a different outlook, and will generate your own passwords accordingly.

[frosted-flakes]

Because sometimes you do need to type it. I'm reminded of signing into a Kindle e-reader with shared (family) account and a long randomly-generated password with lots of symbols (I could not change the password). The Kindle has a terrible keyboard and obscures the password input, so what could have taken ten seconds took ten minutes and many attempts.

I use “correct horse battery staple”-style[1] passphrases now because they're still long and secure, but also memorable, so I don't have to enter passwords character-by-character, and I've memorized all of my most-used accounts now and don't need to look them up. 1Password can even generate these types of passwords automatically.

The only annoying bit is when services have arbitrary restrictions like “no spaces”, or “mix of capitals, lower-case, numbers, and symbols”. In those cases I use hyphens instead of spaces, or stick “A1!” on the end.

[1]: https://xkcd.com/936/

[anaerobicover]

The "correct horse battery staple" style was (originally?) known as Diceware: https://theworld.com/~reinhold/diceware.html The FAQ is interesting reading.

[pferde]

Fair enough, although as someone who uses a 60 character long home wifi password - and have had to type it out manually more than once in the past - I think it's still worth it, because such cases are rare. :)

[m-p-3]

And on mobile you can connect using a QR code so it's a simple way to avoid that as well.