Mine is stupid easy with four letters, one of them capitalized, seven numbers, and one punctuation for a total of 12 characters. Places keep telling me it's too easy, so I've got three more characters (two punctuation, one number) I can throw at it.

Some things, like gpg and Yahoo, still tell me it's too weak. I think it's a sign that the whole metaphor is played out... my memory is in danger of a buffer overflow

I get that this is, and has to be, a simplification, but I think it's misleading (or at least bordering thereon).

If you have no idea how the password is stored, it's misleading because it might well just be unsalted md5 and that's worthless. Or even stored plaintext 🤷

If, on the other hand, it's competently done, then these days hopefully a bigger work factor (than 10) would be chosen (and hopefully updated to when you use the password), or maybe better yet argon2id instead with a suitable configuration.

Either way, there's really not a lot you can say about the security of a password without knowing the system it's used in.

Passwords are only the beginning of being secure. You should:

• Set up MFA on everything you can.
• Monitor all transactions (I monitor all transactions on all my financial services) and get a text, an email, or both whenever any transaction goes through any of them
• Lock your credit with all the credit-monitoring firms.

Monitoring is the real key. Play an active role in your own security by paying attention.