Well, 67 bits.  I'd say that if a password hash algorithm produced exactly 67 bits (i.e. sha256(sha256(input)), truncated after the 67th bit), we have to date demonstrated a crack of a particular value (all zeros).

Or, we've done something that requires 2^68 work (2^67 * 2 hashes per attempt).

I'd also like to know the cumulative number of sha256 hashes done to date by bitcoin miners, which should be on the same order of magnitude.