seven basic rules for developers setting up password systems

1. If any part of your user interface or code truncates password plaintext input at a length of less than 255 characters, it’s a bug.
2. If you can’t cope with password plaintexts that contain SPACE and TAB characters (update: or if you impose any charset restrictions) it’s a bug.
3. If your passwords are not hashed, it’s a bug.
4. If you’re hashing your passwords with anything other than Bcrypt, it’s a bug; bcrypt() maxes out at 72 character passwords, but that’s not your fault…
5. If you allow people to use a password of less than 12 characters, it’s a bug.
6. If you do not encourage people to select a unique password for your service, it’s a bug.
7. If you do not encourage people to use passphrases, it’s a bug.

Reference:
http://www.computerworlduk.com/blogs/unscrewing-security/username-google--password-2bon2btitq-3570448/