Recommended level of password complexity for Keepass

Let's first establish clearly what should be a common sense truth: A password manager master password is a very high value secret. (This is irrespective of which password manager you are using.)

This is for a rather simple, fundamental reason: this one password, together with the encrypted password database that it protects, essentially allows full access to every account for which you have credentials stored within that database.

Thus, you should ensure that this password has a corresponding level of security. Traditionally, this has led to the use of weird password schemes which have tried to combine the goals of making passwords memorable as well as making them secure. With today's computing resources, that's just not a practically achievable goal with a simple password any longer.

Instead, I like to recommend Diceware style passphrases. (Diceware is similar to the scheme described in XKCD 936, but more explicit on how to gather the randomness. Also, in Diceware, if the generated sequence of words makes sense linguistically, you are actually supposed to start over.) In proper Diceware, you use a random physical process (throwing physical dice) to gather randomness, then convert that randomness into words by looking up the numbers in a list of words. In the specific case of Diceware, you use five throws of ordinary six-sided dice to generate about 12.9 bits (log2(6^5) = log(6^5) / log(2) ~ 12.92481... bits) of randomness per word. While for reasons of physics regular play dice tend to not be perfectly fair (produce every value with equal probability), if this is a concern to you then it is possible to buy "casino dice" that are perfectly fair; however, the error is likely small enough that a single extra word accounts for any reasonable reduction in dice fairness, and you can easily test your own particular dice by making a reasonable number of throws and noting how many times each value comes up (which with perfectly fair dice and a large number of throws should be 1/6 the number of throws, because the dice is six-sided).

Since we normally assume that an adversary knows how you generated your password or passphrase but not the exact input or end result, this means that the adversary knows that you generated it using the Diceware method and dictionary. They might very well even know the length of your password.

Given those assumptions, we can actually directly calculate how difficult a Diceware passphrase is to guess: For a properly generated Diceware passphrase, each word corresponds to something very close to 12.9 bits of security. For a reasonably well generated passphrase using ordinary play dice, this is probably a little less simply because all values are not equally probable.

For a high-value password where an offline attack is a feasible mode of attack, such as that to a password manager, I'd probably want at least 90-100 bits worth of security. 100 bits worth of security using Diceware needs eight words. (100 / 12.9 ~ 7.752, and round upwards.) Since the average Diceware word is about 4.2 characters, and you need a separator (conventionally a space) between them, this means a passphrase giving you about 100 bits of security becomes approximately 41 characters long. (8 x 4.2 characters, plus 7 separator characters, is 40.6.)

For comparison, this is less than twice the length of your example ireallyhatebluemountains (which clocks in at 24 characters) but, as also illustrated by the other answers, is far more secure in practice and not much more difficult to remember. Your example password would essentially need to be generated completely randomly for it to have similar security (100 / log2(26) ~ 21.3 characters to get to about 100 bits: log2(26^21.3) ~ 100.12).

It all depends on entropy as seen in @Yuriko's link but also on a related concept: the basis.

Entropy

The entropy is a concept coming from thermodynamics. It basically represents the number of possible states reachable by a given system. In practice, in the computer-security realm, it is related to the number of combinations ("states") that exist, that is to say, the number of possible passwords one has to try before guessing correctly.

For instance, take your 23-letter password. Using only the 95 ASCII printable character, the attacker would need to try at most 2e45 passwords to correctly guess it. This value (2 followed by 45 zeros), is directly related to the entropy we are talking about. If that value goes up (because you added one character in your password for instance), the entropy goes up which means that your password becomes stronger.

This is the exact reason why you can hear that people should use longer password, not complex-to-remember ones.

Basis

The concept of basis comes from algebra. Without going into much details, the basis represents the available building blocks to represent a system. In practice here, the basis is your password building blocks: the available letters.

For instance, I've just written about "95 printable ASCII characters". This is a basis: to create a password, your are allowed to use letters from those 95 letters. Another basis could be "the 26 lowercase basic letters" or the "52 upper and lowercase basic letters" or "the set of lowercase letters minus 'l' and 'o' with all the numbers".

The basis can be even more complex:

Your password must be composed of a series of existing words.

or

Your password must be at least 8-character long. It must be composed of alphanumeric characters plus ':', ";" or "!". It must contain at least one uppercase letter.

can also be expressed as a basis.

Minimal basis

The minimal basis is the smallest basis that can be used to express the password that the attacker wants to guess. In our case, the minimal basis for your password is a set containing your password only. :)

However in the case of a real attack, this is exactly what we want to know. Yet attackers will choose a basis that is deemed large enough but not too large in order to avoid expensive calculations.

Now let's imagine that the attacker uses the basis "all the 26 basic lowercase characters" to crack your password, it would require at most 4e32 (4 followed by 32 zeros) guesses to be sure to get your password. Even at a testing rate of 1 billion passwords per seconds, it would still be quite safe.

Now let's imagine the attacker uses the basis "common english words" (2000), then it would require at most 3e16 guesses, which can be done within a year.

This is one of the reasons why some people still recommend to force the use of a larger minimal base by imposing rules at password creation time. That means that if you are using a basis element (character, word, etc.) that is not included in the basis the attacker chose, he just cannot guess your password. That means that the only attackers able to find your password would need to use a larger basis which will require a lot more time.

Strong enough password

Now I guess that you understand the relationship between the entropy and the basis: the larger the basis, the larger the entropy. Said otherwise, the entropy is related to:

(basis size)^(number of basis elements)

The whole point of the XKDC comics is to understand that increasing the basis size is something our brain is not good at: the result seems more random but it is not (and it is generally harder to remember).

To paraphrase what the author already said, take an 8-character password: it will be 2000 faster to try all the possible combinations if the attacker knows that the password is made of "the 26 lower case letters and 10 numbers" than if he thinks there can be any ASCII characters in it.

In comparison, just add 3 extra character to the original password and you already are 20 slower than the 8-character ASCII password.

Randomness

Most password cracking programs contain a statistical analyser (or the results of previous analysis). The purpose of this kind of code is to adapt or tweak the attackers minimal basis to the human mind and habits.

For instance, most people capitalize the first letter of their password when they have to. This is so common that this is tested in priority. Most people who use words as basis elements tend to create sentences. Some letters are more likely followed by some other letters, etc.

To avoid that and get the maximal entropy out of your password (and therefore the strongest passwords), you need randomness to defeat all these statistical attacks.

This is one thing that your current passphrase lacks.

Should I include capital, digits, etc?

• If it is easy for you, why not: this contributes to increasing entropy and it forces the use of a larger attack basis set, which are good things.
• If it is not easy for you, just add a new word to the mix and you would get roughly the same effect on computing times.
• However you should make your password more random.

A few warnings:

• I have always talked about "time to test all combinations" or "would require at most...": this is the realm of statistics. There is a probability that you guess right at your first try, second try, etc. There are remarquable values that people throw like the square root of the number of combinations (birthday paradox should ring a bell here). However these are useless for qualitative discussions like this one.
• I have always talked about quantities "related" to entropy: these are not directly entropies but they are easier to understand.

Basically Yuriko already told you the answer to this question.

Complex passwords are dead for some time already. In fact, I get really mad when some service forces me to use some complexity because it's just useless. You always end up either forgetting the password or with very similar passwords (which is not the same as reusing the same password, which is even worse).

So the bottom line is, it's better to use a simple but longer password than a short complex one. If you want to add some complexity, for example for not using just small case chars, capitalize some of them, for example the beginning of each word (IReallyHateBlueMountains), the first and the last chars (IreallyhatebluemountainS), or whatever other pattern (ireallyHATEbluemountains).

No one would be able to guess any of those passwords with any cracking tool.