12 Characters in the minimum assuming you don’t use the same password on a site/system that stores it in plain text (people still do this in 2015 sadly), get’s hacked and your password ends up in a password database. .
You also need multiple passwords for all your accounts and never share critical software passwords with non critical software.
I use the following pattern:
Critical: Home banking accounts must use unique password not shared and very long (mine 20+ chars)
High: Google like identity providers (15+ chars) not shared
Medium: Social networks, 12+ but generated based on the same pattern with a derivation rule
Low: Occasional accounts, 8 char throw away password, shared between all accounts.(I know this is bad, but I’m not a machine, I can’t memorize dozens of passwords. I also rather not use password managers, they appear to be the week link in case of an attack)