Since serious password/security-crackers use server-grade systems (like clusters/supercomputers/botnets that are available in the corporate/educational environment) and are not wasting their time using compatively slow inefficient "PC desktops" to execute an attack, it seems to be at least a little naive/disingenuous to suggest that the public should choose a defense method (longer/more complex password, etc.) based upon the idea that an attacker's "PC desktop" would take "years" to complete the attack. For comparison, defending against spit-wads (PC Desktops) is useless when the attackers bring field artillery (servers/botnets, etc.). The passwords should be made stronger, yes. But, the image of a "PC desktop" attacker as the benchmark is short-sighted.
One opinion,
And, a very good opinion. For many years I was the lead Unix Administrator for a very large corporation. I managed a network with over 600 user accounts, most of the Engineers. Each user had their own desktop systems but was managed by a central authentication system. While the users had their desktops to work with, they were limited in performance, compared to the servers that I had access to.
One small piece of my job was to crack everyone's password. Methods were readily available and a password could be cracked with only knowing the the encrypted password. There was no need to actually break the encryption.
So once a month I would run all of the encrypted passwords through the cracking system. When I first started doing this, the results were amazing. In an hours time I had the password for 60% of the accounts. That's when notices started being sent informing the user that their password was too easy and pick another one. As time went on, their passwords got better and better, but I could still crack them. It just took longer and longer.
Since then, the Unix systems have enhanced their authentication capabilities and their password requirements. But the servers that are used to break unto systems have also taken a quantum leap.
