You (or your friend) are/is going to want to read this thread:
I'm BIP38 curious, please help me out!.
It shows how difficult brute-forcing is, 6 random characters may be worth it at current Bitcoin value, but you can expect to pay a lot on cloud computing power.
Note that the search space for that challenge was only upper and lowercase letters... it did NOT include numbers or symbols... And no-one managed to crack the 6 character password in 2 years!!?!
Granted, it was only 0.5 BTC prize when BTC was worth a few hundred dollars... I'm sure that 18 BTC at today's value might be slightly more incentive
EDIT: I tried the Go cracker... it seems to average only ~10 passwords/sec on my setup.
With a charset (upper/lowercase + numbers + symbols) of: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.
A 4 character password has a total passphrase space size of: 84,934,656. So... "only" 8,493,465 seconds to check them all... or ~100 days... for a FOUR character password