[coldtea]

Any decent password manager can generate passwords of any length to use, and XKCD style phrase passwords are not that safe anyway.

[dav-]

I'm using Lastpass. I usually generate 48 char passwords.

[coldtea]

Isn't that overkill though? It's not like they're practically (as opposed to theoritically) better than 16 char passwords.

Who can force break 16 char passwords (especially with non-alphanumeric chars in)?

[dav-]

Realistically, I'm not worried about someone brute forcing my password for some one-off site. On the other hand, there's really no technical reason to limit passwords to anything less than 255 characters, so why do it? What if some technological breakthrough enables us to build processors much more powerful than previously thought possible, processors that can easily brute force a 16 character password? Likely? No. Possible? I have no clue, but I'd rather not gamble on it.