[pferde]

But that's a self-defeating attitude. If you are going to defensively assume that websites are broken in this way, the only logical conclusion is to limit your generated passwords to something ridiculously conservative, like six characters.

In my opinion, it is more reasonable to assume that most websites will behave correctly with even longer passwords, and solve the odd misbehaving ones on a case by case basis.

[gruez]

But if 16 characters is already secure for the foreseeable future, why bother risking it for negligible gains in security?

[pferde]

That's something each of us has to determine for themselves.

I haven't yet, in my many years of "being on the web" encountered a single website with the truncated password problem described above, so for me, it's a weird statistical anomaly to be ignored.

If you have been burned repeatedly by some such websites, you will have a different outlook, and will generate your own passwords accordingly.