Security → Re: Who's using 'password' as a password? TOO MANY OF YOU!

16 character limit is fine as long as the website or service in question limits the number of unsuccessful attempts, which most if not all banks do.

For instance, the bank I'm with will lock you out after 3 successive login failures. After that, you need to contact the bank by phone or in person and verify your identity to have the password reset.

This means an attacker has 3 chances to get it right. In other words, as long as the password isn't guessable, it doesn't matter that the password isn't insanely long.

The only effective attack method when the number of unsuccessful attempts in a given time period is greatly limited would be a dictionary attack. So as long as the password isn't guessable, you're good.

Very lengthy passwords are important mostly when the rate at which attempts can be made is very high or unlimited. File or hard drive encryption is a good example of that. The speed at which someone can brute-force encrypted data is only dependent on how much processing resources are available to the attacker.

In most cases when someone's online account to a website gets "hacked", it's as a result of one of the following:

A) keylogger
B) dictionary attack
C) vulnerability in the site's code or server
D) poor website security policy, allowing the attacker to perform a password reset
E) social engineering
F) using the same password for more than one site (and the password at another site gets compromised)

Brute forcing of online accounts are a relatively rare thing, as it would take nearly forever, even for a seemingly short 16 character password. Assuming the web site in question imposes no limits on failed login attempts, internet latency (ping) alone would make the process take years/decades, not to mention you'd probably unintentionally DDoS the web server in the process. Besides, if the website administrator did his job, such malicious activity should raise a red flag pretty quickly.