@AITpro hope no offense was taken either way. Was not my intention, just wanted to illustrate a point that length with respect to the current password hashing scheme for wordpress alone is not a deterrent for attackers at this point in time and easy access to user names is all they really care about, since they usually just brute force logins once they know the user names and don't care about needing the hash itself.
Still, password cracking is a common threat in todays landscape of GPU hardware based password cracking machines, and wordpress passwords in general are quickly broken in hash cracking competitions since the average user only uses a small subset of actual characters for their passwords, often limited to lowercase letters and numbers only and usually no more than 8 characters. Not to mention hash length extension attacks that use probability statistics in reducing the common key space used to only commonly used characters and removing certain letters, special characters, etc, the process of cracking most(but not all) passwords becomes even that much faster when you add additional cracking techniques.
Not trying to hijack the thread or to cause hysteria, but users should be aware of a number of security practices, not just htaccess control and strong password use, but also monitoring of login attempts, something I hope is someday implemented into wordpress itself to notify admins if a failed password attempt has taken place. There good thing is there are plug-ins to help users in that area to fill the void, including one I've written myself, but you don't need to use mine to be able to log these attempts. There are plenty of other plug-ins that help with that regard and I would suggest every WordPress user consider using some form of login monitoring plug-in that emails the admins of attempts. Just one more layer in a balanced approach to securing your site, and something most users would probably be surprised at how many people are already brute forcing their way into your sites already, directly against the login page of wordpress itself. One of the first things I do when setting up WordPress is install a login alerts plug-in, and change all usernames to use different nicknames for posts and comments, so attackers can't use default names like admin to login with(which is a topic for a whole other discussion on why you should never setup wordpress with the username admin).