Are you struggling for passwords for wallet encryption ?

[BubbleBoy]

It's quite possible, depending on the algorithm used and the size of the attacker. The key-space for 9 characters is 6.37 x 10^17 so assuming it's a SHA256 salted hash then the current bitcoin mining network at 15THash/sec will exhaust the keyspace in 12 hours. The US government can probably do it in minutes. You could rent the current mining network for a small multiple of t 6*50BTC*5$ = 1500$/hour, assuming a market for cracking SHA256 hashes would exist.
To escape even the US government use a 16 character random password not generated by a human (no inter-character memory, characters are statistically independent). That is indeed hard to remember.

You obviously haven't heard of key strengthening.  

I am clearly aware of key derivation - that's why I said "depending on the algorithm" and specified the attack scenario. In fact I went as far as as suggesting the best password derivation scheme at the moment - scrypt - to the bitcoin developers. That would have been even stronger than the dynamic round count they are currently using.

That said, you must realize that you have no control or information over what key derivation scheme sites you visit are using. A key derivation scheme that employs 1 second of CPU time is completely inadequate for a high traffic site - it will bog down the server CPU with a minuscule number of users currently logging in. That's why many sites use simply a salted hash, or a reduced-round variant like the md5crypt that only uses 5000 iterations. That's an extra 12 bits of entropy, but still not enough to protect a weak password.

[DeathAndTaxes]

I am clearly aware of key derivation - that's why I said "depending on the algorithm" and specified the attack scenario. In fact I went as far as as suggesting the best password derivation scheme at the moment - scrypt - to the bitcoin developers. That would have been even stronger than the dynamic round count they are currently using.

Then why did you base a hypothetical attack @ 12 hours using entire bitcoin network.  That would require 1 hash = 1 key.  Even the weakest key derivation funciton would increase that attack scope by a factor of 1000x.

Of course this thread is about bitcoin wallet passwords which do use a much stronger key derivation function meaning your 12 hour "estimate" is off by a factor of at least 50,000x.

That said, you must realize that you have no control or information over what key derivation scheme sites you visit are using. A key derivation scheme that employs 1 second of CPU time is completely inadequate for a high traffic site - it will bog down the server CPU with a minuscule number of users currently logging in. That's why many sites use simply a salted hash, or a reduced-round variant like the md5crypt that only uses 5000 iterations. That's an extra 12 bits of entropy, but still not enough to protect a weak password.

Which really has nothing to do with this thread but even a 5000 round iteration vastly increases the number of hashes per key.  All your assumptions and "estimates" were based on 1 hash = 1 key which was a problem solved nearly 3 decades ago.

[lettucebee]

God, you guys bum me out!  What should the average person do about passwords?  I got keepass, and I put all my precious passwords in there, like priceless gems that unlock all that matters to me.  But I have to create a password for Keepass, no?  And the strength of that matters more than all the passwords it contains!

[ctoon6]

God, you guys bum me out!  What should the average person do about passwords?  I got keepass, and I put all my precious passwords in there, like priceless gems that unlock all that matters to me.  But I have to create a password for Keepass, no?  And the strength of that matters more than all the passwords it contains!

use multiple words, put a rememberable number in between each number. example is "this80is80my80computer80" if you were born in 1980 and such. its long and will be perfectly fine for normal use. use a unique password for each website. use keepass if you trust that you will keep your computer safe from viruses and such. keep in mind, you can never get your passwords out of keepass if you forget your password or loose the keyfile.