Are u running this against an offline blockchain ?
Because if you are running this attack against the live NXT network, then congratulations, mate, u have made an account generator.
How is that? As long as he does not transfer money FROM that account, no account is created.
Hmmm...the way I understand it (and I'm not saying that I've got a perfect understanding of NXT account security) is that an account is created with a 64 bit hash the first time a particular pass phrase is submitted to the NXT client and thus to the network/blockchain.
U can then transfer NXT into this account, but the full 256 bit hash is only created when u first transfer funds (even if it is only 1 NXT) out of the account, which is recommended for any account holding funds.
64 bit encryption is a lot easier to crack, obviously, which is why (supposedly) BCNext chose this mechanism to allow recovery of "lost" NXT in the future, ie NXT sent by mistake to an account with no set passphrase.
Have a look in the mega-thread, there is (somewhere) lots of info about this issue.
https://bitcointalk.org/index.php?topic=345619.0