The salting of passwords makes rainbow tables useless, so doesn't matter anymore.
Rainbow tables are only a factor if an old non-salted method is used. Even then,
it only comes into play if they are a local user or the system has been partly
hacked already so the attacker has access to /etc/shadow.
> Also is what type of attack? If guessing in during login there would be
> the authorization failure delay to add to the crack duration time.
Yes. Also lockouts after X failed attempts, though that can also result in
denial of service attacks against the real user.
A lot of fear over password guessing is due to tv shows that show a hacker
running a program that knows when it's got the first character, and then
the second, etc. Reality is that the password is either correct or incorrect.
Very few systems let the attacker know how many, if any, of the characters are
correct. It would require having the correct password already available to the
login program in clear text.
Fear over brute force attacks against things like ssh is due to people having
a vary hard time understanding just how big a number 2^128 really is.
https://discover.hubpages.com/technology/how-big-is-2-to-the-power-128
When people ask me for a recommendation on passwords, I tell them to use
a mix of words and numbers that mean something to them, but that others
will not be able to guess even if they know them well.
For example, use the number from the address of some building you know of,
and the name of a street, and the name of a pet. These can be taken from
real life or from something you've seen somewhere such as a show or news
report. Put all three of them together to make the password.
The important thing is that the password is too long to brute force, isn't in
any of the lists of commonly used passwords, and be some combination of words
and numbers that you will have no trouble remembering.
Regards, Dave Hodgins