What’s weird is that creating an account on http://accounts.fedoraproject.org isn’t a problem when you create your account, even with a 256 character password, but then you can’t log back in again. So I had to reset a few times, from 256 to 128 to 64, and around 64 I could log back into accounts.fedoraproject.org but not here on the forum. 32 is fine for both sites.
What can be improved? Set a mass password length allowed to put in if your servers/databases can’t handle long ones.
If you are using 2FA token together with your password, then the password should be smaller than 122 character. This is not exact bound because there are cases when password is encoded and that encoding further reduces the size of actual password.
See Issue #9600: login fails with longer passwords after enabling TOTP - freeipa - Pagure.io for the underlying core issue (RADIUS protocol specification). The investigation was prompted by 2FA OTP token not accepted everywhere · Issue #1103 · fedora-infra/noggin · GitHub.
Please open a bug at GitHub · Where software is built to make sure Accounts system properly handles this.
And I thought I was a Paranoid Panda 
2FA would be adequate for the threat model I would think. RedHat makes an authenticator FreeOTP - Wikipedia
NIST password recommendations Strength of Passwords
I might just take a look at FreeOTP. Currently using Authy on Android, and KeePassXC for TOTP on desktop. Technically I also have KeePassDX on the phone, but Authy is a bit easier for most cases.
And I wouldn’t call it paranoia per se, I’m just a dumbass. I keep thinking there’s guardrails against my foolishness, but alas.
In that link about Strength of Passwords they’re talking about megabytes and I started at a quarter of a kilobyte ¯\_(ツ)_/¯
If you’re looking for a android OTP app I have been very happy with
Aegis ( GitHub - beemdevelopment/Aegis: A free, secure and open source app for Android to manage your 2-step verification tokens. ).
It’s open source, has a bunch of features, is available on f-droid,
etc.