You do the math.
OK, let's do it together.
The master password and password character set both support the full UTF-8 character set. This means there are hundreds of thousands of possible glyphs for each password position (due to multiple writing systems... Latin, Cyrillic, Arabic, Chinese, Japanese, etc (sorry, no Egyptian hieroglyphs in Unicode )).
For the moment, let's "do the math" for an American PasswordMaker user. Let's suppose he speaks English as his first language and uses an US 104-key keyboard... so no umlauts, diacritical marks, euro symbol, British pound symbol, etc. in his characters. In fact, let's say he leaves the character set as the base93 ASCII characters which PasswordMaker uses as its default but simply rearranges their order. He also chooses an 8-character master password from the same base93 character set. So we have:
master password combinations = 93^8 = 5,595,818,096,650,401 (over 5 quadrillion)
character set combinations = 93^93 = 1.1719638492654442104175825877512e+183
Adding these together we have... well let's just say 1.1719638492654442104175825877512e+183. Now let's be optimistic for the attacker and say we expect the brute force attack to find a match after iterating through just 50% of the combinations. 1.1719638492654442104175825877512e+183 divided by 2 is 5.859819246327221052087912938755e+182 according to my Windows calculator.
A fast modern PC can easily calculate about 10 million passwords per second
5.859819246327221052087912938755e+182 / 10,000,000 = 5.859819246327221052087912938755e+175 seconds or 1.8581364936349635502561875122891e+168 years.
A supercomputer (or a cluster) checks up to a billion passwords per second
5.859819246327221052087912938755e+182 / 1,000,000,000 =
5.859819246327221052087912938755e+173 seconds or 1.8581364936349635502561875122891e+166 years.
distributed.net's project reached 76 billions/sec once
5.859819246327221052087912938755e+182 / 76,000,000,000 =
7.7102884820095013843262012352039e+171 seconds or 2.4449164389933730924423519898541e+164 years.
This is longer than the current lifetime of the universe. Even if you started the attack during the
big bang (approx 13.7 billion years ago), you wouldn't be anywhere near finished today.
Note this assumes the user doesn't use modifier, suffix, prefix, leet, and that he doesn't use non-English characters. If he did, solving the problem would take even longer. Please let me know if my math is incorrect--math was never one of my strongpoints, so I wouldn't be surprised if I did something wrong.
I'm actually thinking of proposing (and writing) a new section concerning general concerns about internet security, passwords, cryptography and the like, and how PasswordMaker fits into this. Most information I find is either too general ("If you use this, you're safe"), too scary (worst case scenarios) or too technical (like wikipedia) to be useful, so I want to come up with something new. Suggestions etc. are welcome of course.
This would be most welcome! Do you have scp access to the website so you can make changes?