Hi there Pepe,
I just wanted to explain the flaw in thinking that you need a password that's unbreakable by machines.
The days of a script looping through 10,000 dictionary words to try to log into your account are long gone. Even when it doesn't work, it's a huge drain on server resources. Here's one example of how this should be protected against:
Allow up to 10 consecutive attempts to log in. Provide visual warnings to the visitor that they are nearing lockout. Once locked out, the IP addresses used in the attempts are blacklisted to save on wasted server responses and the forum sends an email to the address on record letting them know of the lockout with a link to reactivate their account. Only the holder of the account should have access to the email address, so this would be considered sufficient in regards to security to regain access to the account and would not involve a mod or admin to help.
This method also doesn't have to worry about spoofing IP addresses and UA strings. The forum wouldn't care about the location of the login attempt. 10 tries and you're done. You can reset the attempts field at 24 hours to keep the database table clean.
With 10 attempts, you could have a 4 character unrestricted password and would likely never see a compromised account.
More important than a complex pattern is to not use the most common passwords
as that is what scripts are designed to use to try to log in.