>The trade-off is password strength vs. ease of use. Obviously a longer password is more robust, especially if a combination of letters, numbers, and special characters is required. (That's a good idea anyway IMO). But as a user I hate having to type in a long password every time I use an application. The "sweet spot" for me is 8 characters.
Yes, we usually starts with 8 and increase to 10 on client's request. :)