So this is *mathematically correct, but practically not really. But let me give you a long answer. There’s essentially two things here that are different:

1. Does a longer password make your password more difficult to guess? (always yes)
2. Does a longer password make accessing the content it protects more difficult (yes, to a certain point).

---

The reason for #2 in digital systems is because of hashing, which is used to protect your password in the case of a data breach. Essentially, you can think of a hashing algorithm as an algorithm that takes an input, and then always returns the same output for that input, but isn’t reversible (in theory, you can’t derive the input from the output. It’s one-way). This is why if someone hacks Facebook, they don’t necessarily have your Facebook password.

Usually, these algorithms return a fixed-length character string. And so your data is mathematically not more safe if you exceed this length, since a random password combination can theoretically resolve to the same value as your super-long-password. This would depend on the algorithm being used / data being stored, but for example, bcrypt outputs a 60-character string. So mathematically, your password is not more secure beyond 60 characters.

However in practice, this is a non-issue, because I think that basically the only way that collisions like this are useful is for brute-forcing a password? And the chance of a password collision in this way is something like 10^27-or-28^ (being hit by lightning every day for 10,000 years)? The much easier solution is to get your actual password. So if your password being longer makes it harder for people to guess, I’d say that adding security by way of #1 is still extremely valid.