Multiple password fields for one login

I agree with the other answers:

• It add no or little entropy compared to just using a longer password (as Steffen Ullrich points out).
• If you hash the passwords separately, it makes the hashes easier to crack compared to one hash of a long password (as lengyelg points out).

But I would like to add one point related to user behaviour.

Forcing the user to pick two passwords instead of one will probably make the user pick worse passwords out of pure exhaustion. You will just encourage people to repeat the same password twice with some modification to evade any blocks you put in place to prevent this.

When you factor in the human picking the passwords I think you end up being less secure, not more. It is just annoying without any security benefits at all at best, and directly harmful to security at worst.

It's actually less secure to have two separate password fields in the sense that if password hashes are stored separately, it can be easier to find two shorter passwords from something like a rainbow table than one long password. Of course if a single hash is stored for the concatenated password, it's the same as one password field.

The only difference between your proposal of two passwords P1 and P2 and a single password P1+P2 is where the string P1+P2 is split to get the two passwords. Compared to the complexity which can be achieved already with a long password this additional step adds nearly nothing in complexity and thus does not really make cracking the password harder.