Yes, password must meet the complexity requirement.
It should be 8 digits with special characters to avoid brute force attack
You mean something like this?
.0tmH,-o$dNHI&fEkVl@zNd0mOXD/-5DN,9FCf)4JS-7#!o]li9cYDA_*ck_ou8R@%lZiy{48H+]Pc2Enka7aL9tdx0#)}g8av(.
It is unnecessary too long password (but it does not hurt). Even the size of bitcoin address like 30 random characters is more than enough, and nobody can realistically brute force it, I believe 2^160 possibilites to try .
But your right, using few known words as password is weak.