I hope wiser people will correct me if I'm wrong, but I believe the following information should be in the Security section of the documentation:
About Pasword Strength and Security. OpenWRT does not, by default, make the admin interface (or ssh, if you enable that) available to the Internet at large, so you are much less likely to face a brute force or dictionary attack. Unless you change that setting, the only people who can even attempt to log in as root are the ones who can either physically plug in via an Ethernet cable or who you've already given access to your WiFi. Consider who will be using this device. If it is just your friends and family in a typical home installation, you should not overly worry about password strength.
Of course, mistakes happen and sometimes people accidentally enable administrative access on the WAN port instead of the LAN. In that case, the probability is 100% that you'll have tons of bots trying to guess your password. For that possibility, it is recommended you take these steps:
Use a long password, eight letters or more. Numbers and symbols are not necessary for strong security, but they don't hurt. Write down the password and store it in a secure location. For home users, it is reasonable to simply tape the password underneath the device.
Do not use the same password for the admin account as you use for your WiFi access. Giving someone access to your Internet should not be the same as giving them the keys to modify your router.
After configuring your device, test to make sure you cannot log into it from a device not on your LAN.
Use tools such as bearDropper and sub2rbl to detect automated attacks and stop them. https://forum.archive.openwrt.org/viewtopic.php?id=62084&p=1
If you are setting up a public WiFi access point in a particularly risky environment — say, a coffee shop next door to a halfway house for antisocial computer engineers — consider using SSH keys to login and disabling password access completely.