I’ve found a good article that rationalizes (and, in my opinion, proves) that long passwords are stronger than complex passwords. Here is an excerpt:
The conventional thinking is that the additional complexity presents such an increased workload for the hacker that complexity is the holy grail of password hacking prevention. After all, conventional wisdom says that all the good Web sites require complexity. Heck, a Microsoft Windows log-on password requires complexity. Every new password policy I read requires complexity — but gives scant consideration to the equal (or better) importance of longer password length.
They’re all wrong! Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords.
Link to article here:
How long is ‘longer password length’? Some sites will only allow you to use 8 characters.