Here it's recommended to have 32 characters passwords: https://steemit.com/steemit/@steemit3/third-update-to-july-14th-security-announcement-account-recovery-begins
Some years ago I tried to bruteforce md5 hash of my own 8 characters password and it would take years...
But everything changes fast today ;-)