Brute force succeeds or fails on one comparison: the size of the keyspace against how fast the attacker can hash. Everything else is detail.

Keyspace and entropy

The keyspace is the number of possible inputs: roughly (alphabet size) ^ length, summed over the lengths in range. A 4-digit PIN is 10^4 = 10,000. An 8-character password over the 95 printable ASCII characters is 95^8, about 6.6 x 10^15.

Entropy in bits is log2(keyspace). Because each extra character multiplies the space by the alphabet size, entropy grows by a fixed amount per character while the keyspace itself grows exponentially.

Crack time

Crack time is approximately keyspace divided by rate. At a fast unsalted rate of 1,000,000,000 hashes per second on a GPU, 10,000 candidates fall instantly, while 6.6 x 10^15 takes on the order of months on average. Now change the hash: with a slow KDF tuned to 10,000 guesses per second, that same keyspace would take millions of years.

Why length beats complexity

Adding one random character over a 95-symbol alphabet multiplies the keyspace by 95. That is far more than swapping one letter for a symbol under a composition rule. Length and randomness dominate; complexity theater does not.

The takeaway

Use long, random secrets, a generated password or a multi-word passphrase, and let a slow KDF multiply the cost of every guess. This is exactly what the demonstrator shows: small keyspaces fall in milliseconds, while realistic ones simply exhaust the budget.