https://passfault.appspot.com/password_strength.html#menu Pretty much shows how pointless bruteforcing is with even a mediocre password against a 180,000 dollar machine using dictionary attacks with word substitution etc. Pretty realistic. Example: http://howsecureismypassword.net/ My weak "password10name" gives: whereas passfault gives: 1 day Of course, even a simple password (my example from another topic-two random words and a friends birthday): DogShake52591 would take a 180,000 dollar computer "1 decade, 8 years." Adding a "!" pushes that to "7591 centuries." Just goes to show that you don't need a 20 character password to be safe. Simple 12 character passwords are plenty for the average user and if you're expecting government intervention simply moving to 16 characters makes your password essentially uncrackable.