I think that maximum 16 characters is way too short. Perhaps 127 bytes might be a suitable maximum, although it should be more if possible. (This does not mean that you are required to enter a password of at least that length; it is only the maximum length, not the minimum length.)