Hmmm, I think the example password should be strong enough but You are
right. Sooner or later it will come in (if sooner is something amongst
some hundreds of years and later something amongst some thousands ;)
BTW: There isn't only the password. There are log analyzers too.
Let such an analyzer catch auth failure - say 20 times within less than
half an hour - for root remote, then it can block access from this IP,
if it catches local auth failure for root - 20 times within less than
half an hour - it can logaut the user (kill his login shell) and block
the account. Mine does so. Well, in this case the sooner is something
amongst some millions of years and the later something amongst some
trillions.
... but this already goes into the direction of IDS.
You're lacking optimism... Of course the brute-force attack was not supposed to be done remotely! You can pull passwd to your local machine and the let your computer handle it without interruptions. If some proprieties of the password are known beforehand, then sooner would be a matter of hours and later a couple of days. This is not even putting into the game some distributed computing...
