That already exclude you from the definition of "typical home user".
More than password length, what matters is which 2FA you used because without that even a 64 character password might not help.
I hope it wasn't some free/Chinese vpn. Also, nowadays win 10/11 default security updates are quite good enough & assuming you follow the standard security guidelines on your pc in the network then someone who could bypass those from your father's laptop would also be very likely capable enough to bypass whatever router security you use in any typical consumer grade hardware available.
I had 2FA with Google Auth turned on for all of my accounts. Password length matters in the context of how long someone running hashcat on a GPU cluster will take to crack it, but that obviously wasn't the vector they used to get me.
As for vpn, no, it was mullvad. Believing Windows Defender was 'good enough' is what got me into that mess. His laptop was fully updated and it still got infected. I later learned that he had possibly clicked on a spam email attachment. Obviously someone on this forum is unlikely to do that but for the average person who can make a mistake like that once in a while, you need more aggressive heuristic based detection and monitoring of network traffic, which defender doesn't do. I have Bitdefender installed on my dad's laptop now because that was the AV that finally detected it.
And no, it doesn't follow that just because someone was able to infect my dad's PC, they would therefore also be able to compromise my router. Look into the
Swiss Cheese Model Of Security. Someone having access to an exploit that compromises one part of your network does not mean they have exploits for the others. Also, Openwrt has thousands of eyes looking over its source code, which in turn uses the Linux kernal, which possibly has tens of thousands of eyes on it. That is why it is *secure* for all the intents and purposes I care about.
2FA is good to have but that's not fool-proof.
You don't even need to crack passwords or 2FA when you can just steal authentication/access tokens by some malicious browser extension.
That is probably how
@variablevector's google accounts were compromised.
This is a very good point, damn. I had probably logged into my gmail account on his laptop weeks ago and never logged out. It also explains how they were able to circumvent the 2FA.