Generate a
16-character
password

16 characters is a practical consensus point. It's long enough that brute-force attacks are computationally infeasible even with future hardware improvements, short enough to be supported by virtually all modern systems, and short enough that it doesn't cause UX issues in most password manager autofill flows.

No. The cost of using a 16-character password over a 12-character one is zero — your password manager types it for you. The benefit is a massive reduction in brute-force risk. There's no downside to using 16 characters as your default.

A random character string and a passphrase of the same length have different entropy characteristics. A 16-char random mixed-case string has ~104 bits. A 16-char passphrase (e.g., 'correct-horse-bat') drawn from a large word list can have similar or higher entropy while being easier to type. Use random strings with a password manager; use passphrases for things you type manually.

Reusing them. A 16-character password is extremely strong mathematically, but if you use it across multiple sites, one service breach exposes all of them. Always generate a unique password for every account — that's what a password manager is for.

Not for security against brute force — what matters is the total entropy (number of possible combinations), not the sequence. However, a 'random' password you create yourself will have predictable patterns that reduce effective entropy. A password generated by crypto.getRandomValues() is genuinely random.