I ran into this error trying to create an account at lowes.com:
In 2018 I don’t think it is unreasonable to want to have a password longer than 12 characters. I’d suggest that the minimum maximum limit should be 50 characters.
There does need to be a limit though, accepting a 15,000,000 character password is just asking for trouble. What is a reasonable high end limit then? I’d be fine with drawing the line at 1,000 characters. I think you could even argue for something lower, like 250 characters.
If you need more than 1,000 characters to come up with a good password, there are probably bigger security problems that your system needs to address.