Is a password of 20 characters strong enough to use?
It could be but it may not, it depends on how random those 20 characters are. Let me demonstrate the thought with 2 common attacks on passwords. These attacks are:
- dictionary - using dictionaries of passwords someone else used before or words from “normal” dictionaries, including concatenations of 2 or more words;
- brute-force - trying all possible combination of characters (letters, numbers, special characters), possibly using templates, e.g., first letter is capital, last is number, lower-case in the middle.
So if you use 2–3 common words to get 20 characters’ password, then it will be weak.
If your password is random and not in any of the dictionaries (attack no 1 is impossible), it has to be long enough to withstand brute-force attacks.
In this case, a 20 characters’ long password made up from 70 different symbols (lower case, upper case, digits, special characters) is as strong as today’s encryption keys. Which means, it is “cryptographically secure” and it doesn’t make sense to go any further.
If you think Google represents industry standards, then its Google Authenticator uses secrets of 80 bits = 13 characters passwords as defined above. These secrets are used to compute one-time passwords.