Over at Better Buys they have an interesting post on password cracking times. The post includes an interactive app that lets you estimate the cracking time for various passwords. They also include several examples that show how cracking time is very dependent on password length.
The application is fun to play with but you probably shouldn’t take the results too seriously. They have a list of common passwords that they check against but after that the cracking time is completely dependent on the character types and lengths. Thus, they say that “Password” would be cracked almost instantaneously but “P@assw0rD” would take 14 years. In fact, they would both be cracked almost instantaneously because modern password cracking programs will automatically try these types of common substitutions.
I tried the simple Diceware password “luis pure comet” and was told that it would take 402,695,494 millennia to crack it. That assumes that the cracker can try 13,144,654.63 keys per second. But if the cracker knew or suspected that the password was generated with Diceware, the cracking time would be less than \(2^{13*3}/13144654.63\) seconds to crack. That’s less than 12 hours.
The lesson here is that there’s a bit more than just character types and length involved. If you really want to be safe the answer remains what I’ve told you before: Get a password manager that generates long, random, multi-character type passwords and protect that with a long Diceware type password. Even given you’re using Diceware, a 6 word password would take about 729,094,589 years to crack at 13,144,654.63 keys per second.