Especially with 600k PDBKF2 iterations, 16 alphanum chars should be very safe.
There's a (warning: very detailed) issue covering the topic of PBKDF2 iterations and password length over here, if you feel like diving into that rabbit hole: https://github.com/robinmoisson/staticrypt/issues/159