Of course, this table does not take into account various additional protection measures, such as the Nextcloud BruteForce Protection, which delays further login attempts after several incorrect login attempts, or things like Fail2ban and 2FA. Also, it depends on various other factors how fast a password actually can be cracked. Nevertheless I think itās a good idea to use this table as a guideline when choosing a password and I thought Iād share it here.
Source: Reddit
Why hack passwords? Malware and hacked servers can read passwords of any complexity in plain text. Complex passwords only served to reassure the management.
BruteForce Protection and Fail2ban:
I think millions or billions of needed attempts will be detected even without BruteForce Protection or Fail2ban. And the attacker needs time ā¦ a lot of time. Nextcloud login is very slow in comparison with hash methods on the own pc 
2FA:
Yes.
Yes, there are many other attack vectors and bruteforce attacks are probably not necessary in most cases or impractiacal breacuse of additional protection mechanisms. And one of the most common attacks is probably still social engineering. Or as we call it in German: āDer klassische Enkeltrickā Or your password is secure enough, but you also use it on several other services and one of them already leaked itā¦ And there is of course malware, keyloggers etcā¦ as you said.
Nevertheless, I found it interesting and it can certainly be useful as a guideline when choosing a password.
A year later, it goes much faster:
It used to take 3 weeks to crack a password with 18 digits, now itās 6 days.
It used to take 438,000 years to crack one with 18 numbers, large and small letters, and symbols. Today itās only 26,000 years.
Source: digg.tech| Digg
But probably the only sensible solution at this time is passkeys, e.g. with Webauth.
Hereās a german guide for it:
Mit webAuth in Nextcloud einloggen ā¢ SchƤchner (xnāschchner-2za.de)
I think it is only relevant if the hacker gets the encrypted password. An attack via the Nextcloud login will take longer ā¦ much longer. 
Nextcloud itself has not become much faster. 
Nope!
You should read it correct:
It doesnāt say 438,000 or 26,000.
The thousands are indicated with ākā.
It actually says 438 ātnā and 26 'tn
ātnā here stands for trillions. (ābnā stands for billion)
Since the company that created this promotional infographic, Hive Systems, is based in Richmond, VA it can be assumed to be US āshort scaleā billions and āshort scaleā trillions.
In the American numbering system, ābillionā and ātrillionā have different meanings compared to many other countries. The United States uses the āshort scaleā
Hereās the breakdown:
In contrast, in the ālong scaleā used in most european countries, a ābillionā is referred to as a millionĀ² (1,000,000,000,000 or 12 zeros), and a ātrillionā is a millionĀ³ (1,000,000,000,000,000,000 or 18 zeros).
But even with short scale, it took
438,000,000,000,000 years instead of 438,000 years
and now still takes
26,000,000,000,000 years instead of 26,000 years
to crack an 18 digit long combination of numbers, upper- and lower case letters and symbols.
What this picture has shown impressively is how much one allows oneself to be manipulated by the type of representation and oneās critical, precise gaze is quickly eliminated.
In addition, these durations are extremely abstract. It is only the duration of hashing all permutations of all combinations in the given circumstances. What was not taken into account is that passwords can also be of different lengths and thus the hashing time of those permutations add up accordingly.
The only thing that really counts is how fast one can do the real brute forcing, trying out the combinations until he get a match.
One can be lucky and get it right the first time, or it can take as long as the earth is old (4.5 billion (short scale) years).
If someone would offer me even a fraction of the value of the electricity to be used for this purpose, I would voluntarily give him my password, stop working and fly to Mars on a private rocket
Please go on, everyone, nothing happened. It was just a smoke bomb
Youāre right, that was my mistake. Excuse me, Iām very sorry. 
Please donāt apologize for anything! Everything OK.
The picture reminds us that Mooreās law is still valid.
Thats good!
