Re: minimum length but what maximum length
Hello, eionmac, that's a very interesting question.
Your question in essence is "how will the user know what the MAX LENGTH of an acceptable password is?". Let's call that "Question 1". The way you specifically phrased it, though, leads to another very interesting nuance - the length of the password field itself (within the database), as it relates to the maximum acceptable length of any password. Let's call this "Question 2".
For Question 1, that's something that authenticators / sites / apps / systems should clearly tell the user. As far as NIST is concerned, though, the maximum should be long enough so as to be practically unlimited as far as the vast majority of users are concerned (say, 100-200 characters). The fact that we need to limit them at all is simply to avoid potential DOS (denial-of-service) attacks. This is something the security community in general learned the hard way when the Django framework was found to be DOS-able just by copy-pasting several MBs of text into the password field and submitting. The back-end then has to hash that giant piece of text, possibly creating a huge bottleneck in the server.
For Question 2, it's important to understand that whatever the policy is for the maximum password length a user can have, it has no relation to the length of the password field in the database. This is because you should only be storing the *HASH* of the password - therefore, whether your password was only 5 characters long, or 500 characters long, and whether the salt is 4 characters or 40 characters, in the end the final value to be stored is always the length of the resulting hash.
For sites that don't specify a maximum length, yes, that is a scenario that should certainly be improved. The maximum can easily be set to something like 1000 characters without much threat of an easy DOS (effectively that means we'll just be hashing 1KB of data, which isn't really a problem, but that could depend on your specific algorithms and implementation, as well as the capabilities of your back-end server/s and expected volume of users). Providers/authenticators/services/sites should then give that sort of information clearly. The only reason most sites don't do that right now is, in my view, they have too many complex rules. By the time we move on, and the rules that users need to know are just 2 or 3 things, this situation will probably solve itself.