Actually at least 8 and at most 20 characters long
ti sseug lliw eno on
8 to 20, hmm. Our penetration testers popped my mostly random password, that was... towards the shorter end of that length range. So, 8 characters is officially not enough any more.
If I go for more random letters in a fixed pattern (when I have to type out the sxddxngxthxng and remember it), is it OK to reveal the pattern as a helpful example? Best not, probably. The main thing is, I just remember x letters of it at a time. Type, pause, think, type...