excellent - thanks for the info.

I've decided to do some maths.

If you used a dictionary based brute force it might feasibly take less time I suppose depending on how many words were in your dictionary.

The Oxford English dictionary has ~ 220,000 words plus they estimate more than 8000 additional words are in use.

the number of possible combinations on a 5 word pass-phrase like peanut butter and jelly sandwiches would be 228000^5 or:

616132666368000000000000000

for a letter-by-letter brute force attack you'd be looking at 26^30 or:

~281319890128474591925862102961600000000000

an 8-character 'secure' password has roughly 80 different characters you might expect to see used 80^8:

1677721600000000

so a dictionary attack is dramatically quicker on the passphrase than character by character but is easilly scuppered by throwing the number 5 into the middle of a word, using a French word etc. Even with the dictionary attack it is still hugely more effective than the regular 8 character model in use by most places.

Fun times.