According to this article on password security, cracking passwords is difficult enough that a 9 character password is safe. However he is working on a specific password challenge – to find a password to an encrypted archive file.
And he is right … for that specific application.
As it happens, he is using what is effectively the state of the art in password technology, whereas for many applications we are forced to use very outdated technologies. The speed of brute forcing a password is not simply a function of how fast the hardware you have access to is, but also a function of how hard the password hashing function is.
Different password hashes are calculated in different ways, and some are faster than others; in some cases much faster. The most common password hashes today are Windows password hashes (pretty weak) and passwords stored on websites using MD5 (ultra weak).
A more realistic article on the speed of password cracking can be found here.
Nobody can be expected to know everything about password security, and a journalist even less so. But someone writing an article on password security should at least cover the basics; and this guy hasn’t done that.
Medium length passwords (8-10 characters) are only safe to use for specific applications where the password hash algorithm is known, and known to be strong. All other passwords should be longer.