TechNoFear said:
Wrong/misinformed.
It assumes a particular attack method; brute force using all possible characters (valid ASCII values).
In practice most attacks use a number of methods, first trying to find 'simple' passwords, before resorting to brute force.
These methods (for simple passwords) include 'dictionary' attacks, which is to try a list of words and common passwords (12345 is the most common).
This means that the password in the second example would be found with methods used much earlier in the attack (than the method required to find the password in the first example).
Dictionary attacks use word lists, correct. They do not, however, use
multiple words and here's why:
As the OED is cited as containing 171,476 words, a dictionary attack using this list would take a maximum of 171,476 guesses. A two word phrase, using words taken from this list would take a maximum of 171,476^2 guesses. Hmm, that's a lot more.
The CHBS password (indeed, any four word passphrase) would take a maximum of 171,476^4 guesses. 8.645963084×10²⁰, my calculator tells me. Which at the same 1,000 guesses per second rate would take 27,416,169,089
years to exhaust the search space. So the brute force attack would actually by
faster than the dictionary attack.