@stevefoerster that's very misleading because you can't guess X million permutations over an Internet connection... If you have physical access to the machine, the password length doesn't really matter unless you're James Bond.
@wmd @stevefoerster in that case, reusing the password is the vulnerability, not the password length. If the original system was compromised, they could just as easily modify the source to save pws as plaintext, assuming the software was hashing in the first place. It's a valid point to encourage longer passwords, I'm not denying that.