Blog Herald has an excellent piece on how to choose a strong password, with lots of references and links. Good stuff.
Passwords of at least eight characters using mixed case are considered strong. While password cracking programs can try thousands of passwords per second, they need the encrypted file the password is in to do so. So, if it’s, say, a bank account password, that file will be on the bank’s highly protected servers and not available to run a crack against. But a bank account password should be extremely strong anyway, and not like any other password you use.
Most passwords are gotten via phishing or because the person did something silly like having all their passwords in a text file on a laptop, and the laptop got stolen. Also, important passwords should never be saved by your browser, because anyone with access to that computer may be able to access the sites.