a

[smesv]

a

[Lauda]

Ambiguous question. "Random thief"? You can use a website such as this one to test out password strength (do not enter your actual password though): https://howsecureismypassword.net/.
Most of mine are a mix of all characters and longer than 20. For a "random thief" anything above 10 is okay depending on how much you are securing.

[BlockCAT]

A password manager like Keepass is definitely a good thing to use. Then your passwords can be as strong as you want, without risk that you'll forget it.

[Coin-Keeper]

How strong should a passphrase aka 25th word to seed be to protect against brute force attack from random thief?

I am going a different direction with answering your title question.  First I understand math and what you asked about.  The reality is that the average "random thief" is malware and/or a virus infected computer.  With malware I don't need to "break" your password at all.  I simply wait for you to conduct a transaction and then I hijack it and re-direct the receive address to which the TX sends the coins.  Its done every single day and you can find numerous threads in this forum where folks have been "had".  The better question may be how do you protect against that?  The answers are many and simple, but in simplistic terms you function without ever having your private keys online.  Cold wallets, hardware wallets, etc....  I would challenge you to find many threads here or anywhere discussing stolen coins because someone hacked a 10+ digit password WITHOUT the assistance of malware.  And if malware is in play the password doesn't mean much.

[Eric Cartman]

How strong should a passphrase aka 25th word to seed be to protect against brute force attack from random thief?

I am going a different direction with answering your title question.  First I understand math and what you asked about.  The reality is that the average "random thief" is malware and/or a virus infected computer.  With malware I don't need to "break" your password at all.  I simply wait for you to conduct a transaction and then I hijack it and re-direct the receive address to which the TX sends the coins.  Its done every single day and you can find numerous threads in this forum where folks have been "had".  The better question may be how do you protect against that?  The answers are many and simple, but in simplistic terms you function without ever having your private keys online.  Cold wallets, hardware wallets, etc....  I would challenge you to find many threads here or anywhere discussing stolen coins because someone hacked a 10+ digit password WITHOUT the assistance of malware.  And if malware is in play the password doesn't mean much.

I think he meant brute force attack

Usually only system connected to internet are vulnerable to malware attacks

[BurstIQ]

How strong should a passphrase aka 25th word to seed be to protect against brute force attack from random thief?

I use a minimum of 12 characters up to a max of over 20 depending on what to secure.

U can also use password managers such as keepass, last pass, one password, etc...
They can help you generate very secure random passwords to make life easier.

[kolloh]

How strong should a passphrase aka 25th word to seed be to protect against brute force attack from random thief?

I use a minimum of 12 characters up to a max of over 20 depending on what to secure.

U can also use password managers such as keepass, last pass, one password, etc...
They can help you generate very secure random passwords to make life easier.

Yeah, I definitely recommend using a password manager so that you can ensure you use a strong password. This also allows you to never reuse a password which is one of things that gets people in trouble due to site leaks and such.

If you are talking about seed words for a wallet, you will want to ensure that those words are totally random. Its best to let these be assigned to you and not to specify your own as humans aren't very random.

[BrickMan]

I agree with the other's recommendation  to use a password manager and generate a unique random password for each new account you have.
This pretty much guarantees protection from random brute force attacks. this is because what we call brute force attacks is not really brute force. A real brute force would take an enormous amount of time and would require a lot of computer power. For instance take a look at this reddit thread (https://www.reddit.com/r/theydidthemath/comments/2o1xhg/request_how_long_would_it_take_to_crack_10/) which shows how much time would it take to brute force ONE 10 character password. So that is simply not feasible for the random thief you are saying. Random thieves if they want to use such attacks usually do a "dictionary attack". What this means is that the have a file, a wordlist with a lot of possible human passwords (for example it has qwerty,123456789 and many more) and they try to see if someone was naive enough to use such a password in their account. So pretty much a random password would result in almost complete protection from dictionary attacks from the average Joe.

[Sex Video Chat VKcams.com]

thief?

You need to consider, that the attacker can use many strategies.
So at least not use the same password in other places.

[Kakmakr]

How strong should a passphrase aka 25th word to seed be to protect against brute force attack from random thief?

I am going a different direction with answering your title question.  First I understand math and what you asked about.  The reality is that the average "random thief" is malware and/or a virus infected computer.  With malware I don't need to "break" your password at all.  I simply wait for you to conduct a transaction and then I hijack it and re-direct the receive address to which the TX sends the coins.  Its done every single day and you can find numerous threads in this forum where folks have been "had".  The better question may be how do you protect against that?  The answers are many and simple, but in simplistic terms you function without ever having your private keys online.  Cold wallets, hardware wallets, etc....  I would challenge you to find many threads here or anywhere discussing stolen coins because someone hacked a 10+ digit password WITHOUT the assistance of malware.  And if malware is in play the password doesn't mean much.

I think he meant brute force attack

Usually only system connected to internet are vulnerable to malware attacks

How are you going to validate logins without being online? Some malware can operate offline too and will sit their idle logging your actions and once you are online again, it will notify their master and the logged information can be accessed remotely. Some of these can even be stored within the firmware of some devices like USB memory sticks. < Example : https://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/ >

The longer and more complex the passphrase the longer a Bruteforce attack will need to be done to acquire it. 

[Velkro]

https://howsecureismypassword.net/.

Great project to evaluate "stronginess" of specific password.
To have good pass always use diffirent kind of characters letter with number and special characters. Then use lower case characters and upper case. With that your password don't need to be THAT long but longer the better.