I saw this post from @jeffmackinnon this morning and it pissed me off. Not the post but the topic - password recipes.
Yeah, I know it is a strange thing to be triggered by, but after being on the internet as long as me and still coming across needlessly strange password requirements, I am starting to get cranky about it.
Length and rememberability > complexity
We are told all the time that we should have complex and long passwords, but this is missing something, if you don't want postit notes on work computers (or under keyboards) then being able to remember the password is more important than the number of special characters.
I have a friend that has very long passwords that are all based on a common recipe. They are all a minimum of 5 words and the name of the site, their dog and couple more things go into it.
A possible recipe
So, say I was making a password for this site, it could be a madlibs like thing:
[URLBase] is the place that I visit in [COUNTRY I LIVE] and remember my pet [animal]
So this password may be "peakd is the place that I visit in canada and remember my horse"
Each site would be different and as long as you trust that the site is hashing the password properly it is too complex to be re-created. You could have a couple of these madlibs and use them based on some sort of recipe.
Alternatively, you could use ten random words that are stored in a password manager like 1password and be very safe. But the limit for the length should be based on the software, and 40characters is WAY to short.