Passwords should be long - as long as you want to make them. The longer the password, the bigger its entropy. Mathematically, guessing the password sallysallysally will take longer computing time than sally. Websites or apps that ask for 8-16 character passwords should not be asking for a max character limit of passwords. Instead they should encourage users to create long passwords. Also, do not restrict the user to only use certain special characters - let them use all of them.