To infinity and beyond
There are a lot of combinations that can make up a password. Brute force attacks generally have to go through them all. Even dictionary attacks (which instead of making random passwords or going through the combinations, simply spit out every password in a dictionary file to try and guess the password) need to use word variants and alternate spellings to cover the bases. The applications here use 62 characters to try and hack passwords. To find out the number of combinations that is, you take 62 to the power of the password length. So a six-character password has 62 to the power of 6 combinations, or 56,800,235,584. An eight-character password weighs in at 218,340,105,584,896 combinations. You may be thinking that's not so much; computers today are so powerful that it can handle numbers like that easily.

To put these in perspective, though, 256 to the power of 4, or 4,294,967,296, is the number of combinations in all of TCP/IP (Transmission Control Protocol/Internet Protocol). That is, the entire World Wide Web is limited to the above number of addresses. Said another way: if every person on the planet filed one-by-one past your computer and typed a unique password, you still would be short of the number of combinations in a six-character password by about a factor of 10. Still, this by itself isn't so much until it's coupled with the second reason people don't use brute force attacks.

The Great Divide
The single greatest natural defense of any computer system is that you have to get to it. The CORBA attack in the ExhaustiveHack application is most definitely slowed by the sheer number of combinations, but that's minuscule when compared with the time it takes to send the attack to the host and receive a response indicating success or failure.

Yes, your network, no matter how high-speed, is still by far the slowest element of any brute force attack. A computer can blaze through combinations locally, but it needs to contact your server to see if it's successful, and it needs to halt its cracking while it waits. Even a multi-threaded attack (which Java excels at) would not offer much in terms of costs-savings, because the times are so unbelievably vast and because authorization attempts are queued and limited.

We will assume a one second submit/response time, as well as generation of the password (i.e., one second total per attempt, which is far faster than you'll ever get, even on a LAN). We'll also assume the program must go through 25% of the total combinations possible before reaching the correct password, and we will use the 62 character pool for our base of combinations. Table A shows the times involved in cracking passwords using ExhaustiveHack.