…is not that databases with password hashes get hacked, or that the encryption / hashing algorithms are weak, or that GPU based attacks are getting so strong, but that users will always be the weakest link.
Users.
Because they will always:
123456
password
P@ssword
1234!
There is a lot of misinformation out on the web. This article suggests that "throwing in symbols" will not help you create a more complex password, yet they then jump from the 9 character alphanumeric password that can be cracked in 48 days to a 7 character password with symbols that will only take 7 days - but they shortened the password! Also neglected to be mentioned is that this brute force cracking ONLY works under the following conditions:
The first point is very important, as most systems have some kind of user interface that gathers the user's credentials, and trying to brute force attack this is not going to work unless the password is trivial. The time to recover a non dictionary password, even if it is only 7 characters long, by trying to brute force a well designed authentication portal is tremendous. With network lag it is hard to get more than say 1000 attempts per second. Assuming the system does not kick you out, that is 400 million times slower than a brute force attack on raw hashes, rendering the attack invalid when good passwords are in use, even if they are only 7 characters long.
So lets assume your password hash has been compromised somewhere. Lets assume the attackers has some large farm of GPU's to crack the passwords. A lot of assumptions but not unreasonable. Especially since many people use one password across devices, so if their LinkedIn password is cracked like what happened recently, that means a would be attacker can potentially target users and hack into their bank accounts, network accounts etc.
All you need to do is to look at this graph. With current technology, a password that adheres to the following:
Password1!
Qwerty12345.
ILoveJanet!
JD1961-04-24
Bal_s can, fly 10
photo M_ - blue
If you adhere to that, you will be relatively safe. Computer security is a moving, dynamic system and as long as you keep current with technological advances, you will be OK. A 9 character password might not be good enough in 5 year's time. So do not expect it to stay secure forever. Change it, adapt. In 5 years or whenever 9 digit passwords can be cracked easily, use 10 or 11 character passwords. But there is no need to overreact and start using 15 character passwords. A 15 character password is just as impossible to brute force than a 12 character password today.