How secure is a "root" password that's 26 alphanumeric characters long?
Interesting question and testing of the hackers with the Chinese IP!
I'll assume that by 'alphanumeric', you mean [A-Za-z0-9]
, or 62 characters. If they average 3 days to crack an 8-character password, then it should take 6 days to cover all of the 62^8 possible passwords, so they're able to guess 62^8 ÷ (6×24×60×60) = 421180759 passwords per second.
A 26-character password at that same rate would take 62^26 ÷ 2 ÷ 421180759 ÷ (60×60×24×365), or 1.5 nonillion years to break, on average.
That said, 421180759 passwords per second is really impressive. I'm guessing your 8-character passwords are not truly random, but rather made up of dictionary words or other semi-predictable components, thus making our guesses-per-second calculation off. They probably can't break the 26-character password in 1.5 nonillion years.
By the way, password strength is often measured in bits of entropy. The 8-character password is log₂(62^8), or 48 bits of entropy, assuming it's truly random. The 26-character password comes in at a whoppping 155 bits of entropy! If you haven't seen it, you also must read the classic xkcd password strength commic.