Is a Mac's login password the weakest link, and if so, how complex does it need to be?
There's currently no auto-lockout on failed password attempts on Mac.
Bear in mind any brute force attack is limited by how fast someone can type. It's not like they can hit it with 2000 tries a second.
See https://math.stackexchange.com/questions/739874/how-many-possible-combinations-in-8-character-password for number of possible combinations.
See also https://xkcd.com/538/