1. Presumably the attacker uses the brute-force technique which means that the attacker tries every possible combination of passwords one after another.
The attacker does not consider a dictionary attack. Nevertheless you have to bear in mind that if the victim choses a dictionary word the time to guess the password could be greatly shortened as the attacker would only need to try words from a dictionary.2. Presumably there is no flaw in the cryptographic algorithm. If this was not the case the time to guess the password would be greatly shortened.
3. When using brute-force attacks, in average the passwords are found after 50% of tested permutations.
4. Presumably the attacker does not know the size of the password before any attack.
To illustrate this, to brute-force a password composed of 8 characters, the attacker has to try first the passwords with 1,2,3,4,5,6,7 and finally 8 characters.5. We considered you need 250 floating point operations to check a password.
For further information please read the following CASES Luxembourg articles (in french):
Publication on access management - threats on decryption
External links : www.top500.org and boincstats.com
Brute-force attack from a contemporary home computer using free password guessing tools.
Estimated power : 78 375 921 combinations tested per second.
Distributed network with 2500 zombie Computers from the same botnet (estimate) to break a password.
Estimated power : 195 939 804 420 combinations tested per second.
Computing power of the fastest Computer on the planet
Estimated power : 93 014 600 GFlops or 3.720584E+14 combinations tested per second.
source : http://www.top500.org/
Combined Computing power of the 500 most powerful computers on the planet (very unlikely scenario).
Estimated power : 845 121 000 GFlops or 3.380484E+15 combinations tested per second.
source : http://www.top500.org/