"Long passwords are great: As a user, the longer your passwords are (while still being memorable and usable), the more secure you are."
This is very false. Longer passwords only protect against brute force attacks but not social engineering. If anything they make the user more prone to side-band attacks as humans can't easily remember such long *random* passwords and expect to change them every 90 days. Instead they write them down or store them in a text file on their desktop. That in turn makes them vulnerable to social engineering or other non-brute force attacks that focus on revealing the password or hints at the password instead of trying all random values until you hit on a match.