Assume that brute-force (guessing passwords from A to Z, 0 to 9 (AAAA, AAAB, AAAC, ... ZZZZ)) processes one million passwords in one second, how complex should your password be?

The answer is - 8 mixed characters. It will have 6,095,689,385,410,816 (6 zillion) possible combinations if you use A to Z, a to z, 0 to 9, and all those printable punctuation marks. Therefore it will take 193 years to crack - That equals impossible.

Do not use one single thing to make up your password. For example, your favorite color, your birthdate, or your favorite pet's name.

Do not just change O to 0, I to 1. Password guessing software knows those tricks.

Here are the number of possible combinations for each type of characters mixed (8 characters long):

One alphabet case only = 208,827,064,576 (2.5 days to get)
Two alphabet cases = 53,459,728,531,456 (1.7 years to get)
Two alphabet and digits = 218,340,105,584,896 (6.92 years)
Two alphabet, digits, and all punctuation marks = 6,095,689,385,410,816 (193 years)
Printable and high-ASCII characters = 5,899,616,690,476,974,336 (187 millenniums)

Good examples of passwords (Do not use them as your passwords though):

Source: "I found the value of Pi with Calculus"
Password: IftvoPwC
(It takes 1.7 year to get a password consisting only 8 alphabets.)

Source: "America has a 25 cents - the quarter"
Password: Aha25ct¼
(187 millenniums to get this password.)