Passwords - Digression

How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself?
Entropy in language.
- A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash.
- Using totally random english characters you need 28 characters.
- Using a random distribution of all 95 printable ascii characters you need 20 characters.
Observation, good passwords are hard to come by.

How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself?