Unlike access to a computer system or a website where the administrators can simply not accept logins more more than once every two seconds and slow down brute force hacks, if someone has your wallet, they can sit there all day running automated scripts against it.

Someone using a desktop PC could get an 8 letter, 2 number password in a few days. Someone with more substantial processing power? A couple hours. The NSA? Probably less than a second.

My life became much easier when I abandoned memorizing passwords and started using a password manager. I no longer have passwords shorter than 17 characters, and most of them are between 23 and 60 characters long. All with mixed case, variable quantities of numerals and punctuation, and wherever the systems allow it I include characters from multiple languages in the high unicode registers.

&}vbrشJh7ç1SφH@NmMfIu/^Cyf4""Auzpה=)XЯQ7v«6AZ0zhɣ

…isn't a half bad password, except that now it's been posted to a public forum.

Edit to add: https://howsecureismypassword.net/ is a fun place to test out combinations. Best not to put actual passwords in there, of course. According to that site, the above password would take a desktop PC 74 untrigintillion years to crack. Frankly, I'd have to look up what an untrigintillion is but I think it involves a whole mess of zeroes.