short_usernames_and_passwords - mqtt/mqtt.org GitHub Wiki

Section 3.1 of the spec states:

It is recommended that passwords are kept to 12 characters or fewer,
but it is not required. 

The same recommendation is applied to usernames as well. This is embarrassingly short. People using MQTT in situations where storing a long password is a limitation will be aware of the fact. This doesn't mean that maximum password length recommendations should be given for everybody else.