...
This test illustrates that throttling to limit the number of attempts is probably more important than password size. Currently, Synapse does not throttle login attempts so ten attempts per second is possible.
Human Generated Passwords
Passwords generated by actual users may not be as strong as randomly generated passwords. The problem is people can follow predictable patterns. For example, when users are asked to include capital letters in passwords they will often choose to capitalize the first letter of each word. When asked to include numbers or special characters in their password, they will often use 'Leet' substitutions, so 'password' becomes 'p4$$w0rd'. Hackers are familiar with these patterns, and can exploit them with modified dictionary attacks. Even though 'password' is eight characters it would be cracked on the second attempt of a dictionary attack since it is the second most common password ('123456' is number one).