And conversely, all 4 of the 14 char passwords were also variants of username/email address/domain. Same with both 13 char passwords.
I'd wager most of the 2500 or so passwords cracked were variants of the email/username/domain. I think there is a pretty important lesson there.
Namely, don't trust sites that "encrypt" your password with MD5 or anything similar? Don't trust sites that do not understand the fundamentals of encryption?
Read
this. Bear in mind that the $2000 CUDA systems he's referring to are the same sorts of systems that are described in the BTC mining threads.
Then consider how much having a "strong" password, by any definition of "strong" you'd like, would save you under those circumstances.
Even if they used 4096 bit encryption, if your email address is
awesomedude@vanitydomain.com, and your password is 4w3s0m3dud3v4n1tyd0m41n, it will take any semi-intelligent cracking system (like john) a few minutes to guess. A 23 char password will be impossible to brute force, but if it is a variant on your name, there is a good chance to crack it in minutes rather than the expected lifetime of the sun.