THIS!
Listen guys...and apologies for not reading this entire thread in detail, but Length > Complexity... Always!
Let's say I want to get into your computer. Well first, I'm not going to brute force anything. I'm just to remove the password. Plain and simple.
But let's say I actually want to get your password. Well then I'm going to need to decrypt it. I won't go into a ton of detail, but that's going to require some effort. I'm going to start with a single character, then guess all possible characters. Then change to two characters and guess all those combinations. Then I move on to three, four... etc.
See how this works? Doesn't matter how complex your password is, it's just a matter of time before I get to 8... 10 characters. Now if you use a 20 character password, the time it takes me to crack that gets exponentially longer with each added character. The passphrase "I freaking hate my password its stupid" is so much better than "DFL#T#$*SD"
I can remember that phrase, it's easy, and it's going to take a very long time to decipher. An interesting anecdote. During a training for a (particular government agency that shall remain unnamed), the students were given the options to break into a WPA or WPA2 network. They obviously chose the WPA network. What they didn't know was that the WPA network had a 50 character password. After two days they gave up. LENGTH BEATS COMPLEXITY!!!!! ALWAYS!!!!
Also, DO NOT USE PASSWORD CHECKING SITES!
Let's pretend you're a bad guy who wants to see what people are using for passwords... why not host a site that spits out random time estimates on cracking passwords? Because that's exactly what those sites do.
Stay safe out there all.
