The National Institute of Standards and Technology recommends that passwords be between a minimum of 8 characters and maximum of 64 characters with most professionals recommending somewhere between 12–15 characters for most users. 12–15 characters balance ease of use (there are a number of websites which can’t handle a 64 character password like Bank of America which has a 20 character maximum) and complexity (It’s estimated that it would take 2 centuries to crack a 12 character password). The length of time needed to crack passwords is decreasing as processors are becoming more powerful however, cost becomes a deterrent for your typical attacker (nation states have the finances to invest in quantum computing but the average person doesn’t have $15 million to spend!).
References: NIST Digital Identity Guidelines
Estimating Password-Cracking Times