Re: Even the big companies fail at this
Just a feeling, but I'm sure the number of sites that restrict length is actually on the rise.
The worst are the ones that don't actually bother telling you the max length during setup,
so you use a long one which they promptly truncate and store, but they then don't bother truncating the password on login, so it fails. You're then left with either guessing what they truncated it at, or forcing a password reset and guessing length for the new one.
One especially cunning bunch of morons recently first stripped the punctuation characters, then truncated the remainder. WTF??? Sadly I actually needed access.
A bit of the mythical 'best practice' wouldn't go amiss.