OK, that's with brute force, but I tend to think a dictionary approach would be much faster. (?)
I haven't really found any good dictionary attack tester, mainly because (I think), grades would be to be attributed to every word, based on the commonness they are used for passwords, and no one can really do that.
Hackers out there, would this be correct?
It depends on the complexity of the algorithm used and the exact resources used. Password protection is very complicated, especially given the diverse (and at times, severely detrimental) limitations on passwords. For example, a dictionary-based attack may just look for common combinations such as an adjective paired with a noun and a short sequence of numbers.
Different types of attacks, however, will work better on different passwords. A brute-force attack will work better on 6 random alphanumeric characters than a phrase, and a short phrase of random words is more vulnerable to a dictionary-based attack. As far as passwords go, a few realistic good rules of thumb are to use a longer password, don't use repeating numbers or personal identifiers, and make a few simple swaps (change an i to a !, for example). Using XKCD's fun method and some swaps, you could have a password like "f!$h ice cream pleas3" and it's much stronger against multiple types of attacks and fairly easy to remember.
More importantly, if a person is trying to gain access to something of yours, they will either:
1. Be trying simple methods en masse
2. Have personal information on you from another source and are trying to gain financial reward from hacking you (and will use your information to try to hack more effectively)
3. Your data is insecure for some other reason, making you an easy target
Number 3 is the clincher. You can have an incredibly strong password, but it means nothing if someone else can get it easily. Unsecure wifi and mobile communications are always suspect; if you must send login or financial information over these, I'd recommend getting a reputable VPN service (many businesses use these as well for various reasons; there are free ones available that are better than nothing). At the very least, make sure you are using HTTPS and have network discovery and file sharing off. It is easy for a person to fake a wifi access point and skim details- be especially wary if there isn't some sort of login/EULA portal (most food services and hotels use one, it'll redirect you when you first open a web browser) or there are multiple similarly-named unsecured wifi networks (ie FastFoodFreeWifi and FastFoodFreeNetwork; I've never seen a fast food chain with two unsecured wifi networks in the same building).
On a similar note, use a strong password for your home network; you can simplify connecting using an NFC tag if you want. That also makes a fun project. ;p
At the end of the day, cybersecurity is only as strong as its weakest point, and hackers will always find new methods of attack or obtain larger botnets and faster computers. Maintaining good passwords is just one tool in keeping your data secure. Securing your connection, updating profile and recovery information, using antivirus software, configuring firewalls, etc. are all also important.
Sorry for the long post- I just like cybersecurity, and its an important topic in this day and age that seems to get oversimplified to "strong password" a lot.
