The OWASP recommendation is to no limit characters that are allowed in a password, but I think you need to have a tradeoff here. You should allow as large a character set as you can, but that means you need to test the character set, unless you want someone's password to take down your system.
I can't think of a good reason to state password rules on a login screen. If you have made your rules open enough, no one should be looking for what special characters are allowed, or a max length limit, or the number of upper case and lower case letters. What rules do you normally see on the sites that do this?
Explaining how you are securely storing data is hard. How much detail do you go into? What information do you leave out? And just because a site is telling you about their security practices, does it mean that they are really doing that?
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.