Here is the text of the NIST sp800-63b Digital Identity Guidelines.
7 points
By any length I meant no maximum length. Obviously you don’t want to use a super short password.
4 points
Some kind of upper bound is usually sensible. You can open a potential DoS vector by accepting anything. The 72 byte bcrypt/scrypt limit is generally sensible, but going for 255 would be fine. There’s very little security to be gained at those lengths.