Length is still significant because brute force attacks still exist, and after the most common passwords and their "substitute zeros for the letter O" type of variants, they tend to go shortest first then append suffixes. There is theory and there is what attackers actually do.
(but yes that's probably too many 3's to be practical, I just held the key down a bit too long)
People are not nearly as creative as they think. Brute force attacks are informed by the current password "culture". If you rely on creativity and obscurity to provide additional security on top of your password, you better factor in Moore's law. Otherwise current computer users and future generations need to become exponentially more creative with their password tricks.
Length does not mean much. I bet some password crackers already test "password123" sooner than just "password" or will soon. And without doubt, they test "password123" before testing "a", "b", "c", etc.
"foobar333333333333" is a lot safer than "foobar", not only by length, but also because it now includes numbers, so it went from a character space of 26(a-z) to a character space of 36(a-z, 0-9) and it more than doubled it's length. 6^26 < 18^36(where ^ means to the power of), add in a capital letter and a symbol and the "strength" of the password explodes.
Even "p4ssw0rd" is safer than "password" if we're only talking bruteforce. (Though all variants of password is already in multiple rainbow tables, as is all strings of length <6, so meh.)
Adding a digit adds 3-4 bits of entropy. Adding a symbol adds another 3 or four. Adding a capital letter adds a little more than 4 bits. Replacing a letter with a number adds at most one bit of entropy.
Keep in mind that even if no black hat hacker has ever considered that people might use repeated digits at the end of their password, you do not really have a 18^36 character space. Assuming "foobar" was truly selected a random and 333333333333 was a legitimately random number, then you actually have a
626*1210. That is still an unrealistic assumption.
Which of the following do you think is most secure?
pikachu, 1101000010010000101100010000000100010101011111, 1502205420042537, 57329965876575, 57329965876575, 1110000011010010110101101100001011000110110100001110101, 1603226554130664165, 31641107307915381, 70696B61636875, 34242C40455F.
People have been misled about password security. It's easy to understand; people respond better to stories than numbers and have been trained to choose passwords satisfying meaningless criteria thanks to most websites. Using "p4ssw0rd" instead of "password" or switching your keyboard to dvorak to enter your qwerty password sounds clever enough to foil a hacker if you think of it terms of outwitting someone. There is an XKCD comic about passwords that explains what makes a good password scheme, but people mock it as being wrong because they don't understand the math.
Also, a password is not weak because it is in a rainbow table. Any password of any length could be put in a table. Using a salt makes rainbow tables useless, so it is not something to worry about.
