What is the maximum number of characters that a Salesforce user password can have?

According to Setting Password Policies:

User passwords cannot exceed 16,000 bytes.

How does that translate into characters that the user would enter in the browser for their password?

Firstly, what character encoding is Salesforce using?

This I think I can answer:

Internationalization and Character Sets

[…] The character set for your organization depends on the Salesforce instance your organization uses. If your organization logs into ssl.salesforce.com, then your encoding is ISO-8859-1. All other instances use UTF-8. You can determine the character set for your organization by calling describeGlobal() and inspecting the encoding value returned in the DescribeGlobalResult.

UTF-8

With UTF-8 it looks like the a character could be 1, 2 or 4 bytes (Ref: What is the maximum number of bytes for a UTF-8 encoded character?). So, I think, if all the characters were in the U+0000 to U+007F code point range then I could get up to 16,000 characters in a password.

In the ideal world this would never be an issue with API integrations and I'd use an OAuth refresh token to maintain a session from an external system.

This question came about with an older system that had a maximum password length of 36 characters. I'm looking at increasing it, but getting a defined maximum password length isn't as straight forward as you might think. Ideally I won't be replacing one arbitrary upper limit with another one.

I personally haven't encountered any 8000+ character passwords. They are hard to remember and difficult to type out. But the potential exists.