I used a 26 letter password, at one time, but... sometimes I have to use someone else's machine, like a "gas pump" at a service station (odometer reading for corporate credit card), or an ATM machine (PIN number), and they won't allow that many characters.
I digress: I ran a program for over 2 years, on a dedicated machine, trying to randomly guess the correct order of the english alphabet (yes, I know there is no true randomness on computers). After 2 years, it had correctly guessed the first 13 letters. At 100K tries a second, I judged that it would take 1,840,645,487,000,000,000,000,000 years to guess them all -- soooo, I figured a 26 letter password was pretty safe. LoL!
On PCs, I finally settled on 10 letters -- a mixture of caps/lower-case letters, numbers, international english keyboard characters, and punctuation symbols -- arranged in a geometric pattern.
On other systems, you have to go with the flow. For instance, my cell phone provider only allows four numbers. Really! What a bunch of morons...
Anyway, the 10 letter sequence I normally use, allows me to use my left "pinky" (hidden under the palm of my left hand) to press the [shift] key, so if someone is watching me type my password (over my shoulder, with a security camera, etc.) they still don't know what I typed.
I have my web server(s) setup to use keyboard login or a virtual keyboard, so nobody can capture my login sequence with a "keylogger".
You can do the same thing on an Ubu box by implementing Onboard or Matchbox.
Example: I`m typing this line with Matchbox
Anyway, it's GOOD to be a little paranoid, especially if you're connected to the web, controlling web servers remotely (including forum mods & admins), doing online banking, blah, blah, blah.