Of course, this table does not take into account various additional protection measures, such as the Nextcloud BruteForce Protection, which delays further login attempts after several incorrect login attempts, or things like Fail2ban and 2FA. Also, it depends on various other factors how fast a password actually can be cracked. Nevertheless I think it’s a good idea to use this table as a guideline when choosing a password and I thought I’d share it here.
Why hack passwords? Malware and hacked servers can read passwords of any complexity in plain text. Complex passwords only served to reassure the management.
BruteForce Protection and Fail2ban:
I think millions or billions of needed attempts will be detected even without BruteForce Protection or Fail2ban. And the attacker needs time … a lot of time. Nextcloud login is very slow in comparison with hash methods on the own pc
Yes, there are many other attack vectors and bruteforce attacks are probably not necessary in most cases or impractiacal breacuse of additional protection mechanisms. And one of the most common attacks is probably still social engineering. Or as we call it in German: “Der klassische Enkeltrick” Or your password is secure enough, but you also use it on several other services and one of them already leaked it… And there is of course malware, keyloggers etc… as you said.
Nevertheless, I found it interesting and it can certainly be useful as a guideline when choosing a password.