It seems that there is a public perception that passwords of enormous length are the safest ones. Apart from being hard to remember and difficult to type, this perception is based upon the an attackers ability to guess the password before the number of failed retries locks the account or someone notices and resets the account. Attackers use computers to compute the passwords (known as a brute force attack) or use a list of passwords (called a dictionary attack) to increase their chance of gaining access to the account. There has been considerable research into the area of password guessing and brute force attacks which has resulted in a number of standards emerging. Standards are generally unable to be modified fast enough to keep pace with the rate of change in technology. This results in a lower cost for more CPU cycles that are able to calculate or guess the password in a given time period of time.
If people want to have shorter passwords then they can as long as the authentication system is able to adapt. To meet this authentication change the risk profile must be lowered. This is achieved through permitting fewer failed attempts over a shorter period of time before the account is temporarily locked. Being able to detect login requests from multiple IP addresses over the same period of time also triggers the account lock seeing as people are not yet physically able to be in multiple places at the same time. The down side of this is that not all authentication systems have the ability to change their behavior to meet the different risk profiles. But knowing about such options and asking for them will hopefully get vendors and developers to implement such features.