If weak passwords (passphrases) are used, they can be easily determined by brute-force attacks, whether or not Whonix is installed. In essence, attackers systematically try all passwords until the correct one is found, or attempt to guess the key which is created from the password using a key derivation function (an exhaustive key search). This method is very fast for short and/or non-random passwords.
Generating Unbreakable Passwords
|Warning: It is safe to assume that advanced adversaries with modern technology can conduct bruteforce attacks at a rate of 10s or even 100s of billions of attempts per second. |
To generate passphrases which cannot be bruteforced even over a timeframe of several billion years (barring breakthroughs in quantum computing), users should default to diceware passphrases of 7-8 words in length, with the words chosen randomly by dice rolls. This provides password entropy of 80-96 bits.  Generally speaking, lower entropy is reasonable to prevent online attacks due to limits on incorrect username/password combinations, but up to 128 bits of entropy is suggested for important cryptographic keys; a Diceware passphrase of 10 words in length. 
Principles for Stronger Passwords
Users should read Wikipedia: Weak Passwords to learn better practices for generating strong passwords, and to learn if current passwords are weak. (w). The general principles for stronger passwords are: 
- Avoid short passwords of less than 12-14 characters in length - longer passwords are exponentially more difficult to crack than shorter ones. 
- Include: Upper and lower case characters, special characters, digits, spaces, underscores and brackets (unless using Diceware passphrases - see above).
- Do not re-use passwords anywhere.
- Generate passwords randomly.
- Avoid dictionary-based passwords or those dependent on keyboard patterns, special letter or number sequences, usernames, relative or pet names, biographical information, or persons known to the user.
- Avoid information that might be publicly linked to the user or the user's account, or which is known by friends or acquaintances.
- If passwords are written down, they should not be left in obvious places.
- Consider using a secure password manager, so hundreds of different passwords can be kept stored in an encrypted password database, with access only requiring one master password (which itself should be a cryptographically strong password).
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.