Most web-hosts that aren't secure won't stick around too long. Look for a host that has been up and running for a long time and chances are you won't have any security problems. I would recommend 1and1.com hosting. They had a promotion on awhile ago for 3 years of free hosting (unfortunatley it's done now). I am just pleased with the amount of features I get with it. I not only have FTP access to the space, but there is SSH access, on-line database setup tools, statistic pages, site generators, a cgi debugger and I could go on. I believe it is their cheapest package and for the $5 a month it is well worth it.

In terms of passwords, yes any password can be brute-forced. It's just like someone guessing your password. You can't make one up that can't guessed so none exist that can't be brute forced. If you had a password of "john", a simple dictionary attack could brute force it in minutes, whereas if you had "a37o1D$p3" as a password, random passwords would have to be run against it but eventually, many days or weeks later. of would be matched.

I hope this at least clears a few things up. Let me know if you need more info.