Just to let everyone know that the ICO has published new guidance on this subject.
The guidance can be found at:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/