Average time needed to crack a password with 12 RTX 4090 graphics cards by length (source, image):
| 6 | 12 hours | 10 | 33k years | 14 | 805bn years | ||
| 7 | 1 month | 11 | 2m years | 15 | 56tn years | ||
| 8 | 7 years | 12 | 164m years | 16 | 3qd years | ||
| 9 | 479 years | 13 | 11bn years | 17 | 276qd years |
Note that these values assume that the attacker has access to a database of hashed password, and is trying to log into as many accounts as possible, so not really applicable for someone trying to get into specifically your account and guessing the passwords, but I believe it might still be a good wake-up call for people who believe 6 or 8 characters are a "strong" password.
In case you do not read the linked article (which you should!... if this interests you, that is. The site has a really shitty, anti-user design, but the info is a good introduction to the topic) also note that I took those values from the column assuming combination of capitalised and non-capitalised letters, numbers and special symbols.
I recommend storing your login credentials safely on a piece of paper in a locked book/drawer, or in an offline (or, if you need syncing, hosted on-prem), encrypted FOSS password database (I recommend KeePassXC). I would strongly advise against reusing the same password and remembering it, or entrusting it to some tech giant like mozilla, google, lastpass or whoever else might be trying to convince you to store your passwords in their cloud.
Important thing to remember if you are trying to protect against a directed attack is to keep the length of you password randomized as well, If I were an attacker, and you revealed to me that you use 12 character password on my site, I am most likely going try that very password an all the sites where I want to compromise you, and then prioritize other 12 character passwords. By having your password length random for each site (in a range you determine as safe, obviously), you minimize this risk.
