Is length even important or is compexity the most important?
I would like to pick this subquestion.
Given that the complexity is how many characters you are allowed to use for the password.
Given that a more secure password is one that would need more time to bruteforce.
The number of possible words you would need to test with bruteforcing is then our metric of saying how secure the password is.
You calculate the number of possible passwords using: NumberOfPasswords = NumberOfCharacters^PasswordLength
E.g., if you have a password of length 3 and digits only (aka 10 characters): 10^3 = 1000
On the other hand a password of length 10 and 3 characters: 3^10 = 59049
So length is more important than complexity.
-----------------------------------------------------------------------
However, this theoretical approach does not take into account dictionary attacks which are commonly used.
In practical terms:
password length and complexity only need to be enough so that bruteforcing doesn't help anymore. A password of length 24 is practically as good as 12 because both can't be bruteforced in a reasonable time frame
beyond that you definitely need to avoid dictionary attacks by:
- Not reusing passwords that you use somewhere else (one dataleak of plain text passwords and your passwords will potentially be added to word lists).
- Not using passwords that are likely used by other people.
- Avoiding actual words with meaning in general. That includes combinations of words with added digits or words in 1337 speak. Attackers know that these are typical modifications and may generate these variations automatically.