Given infinite money and time, no password is safe. And yes, cracking rigs can be clustered to reduce the time necessary to crack passwords. Back in 2012 it was demonstrated that a special built cracking rig (cluster of 25 GPUs) of about $25,000 can crack the NTLM 8 character space in under 6 hours. Today, that same power can be built for about $12,000. As hardware (graphics cards) get cheaper and more powerful, it will be easier to construct a cracking rig.
The tools to counter this are stronger HASH algorithms NTLM relies on the old MD5 hash. Other hash algorithms include Blake-256, SHA-256, SHA-3 and others. These hashes make it harder to come up with a guess so it slows the computer down in it’s brute force attack. So fewer guesses per second.
The second vector is the use of complexity, or more starting characters. Other than requiring a password contain one or more special characters at the time of creation, this really does not have any additional value as there is a limit to the number of special characters.
That leaves us with length. We all know that we should have longer passwords but because they are difficult to remember, we dont like them. Sentences are a whole ‘nuther ballgame.
For example:
Denver Bronco’s #1 fan
22 characters / Uppercase / lower case / digits / specials
brute force would be 88^22 or roughly 6 x 10^42
By comparison an 8 character password is 88^8 or 3.7 x 10^12
However, this all requires acceptance of longer passwords. The NIST standard calls for a minimum of 8 and a maximum of 64. Do all applications follow that standard ... no
Thanks.