[Pikago]

They were obviously testing for combinations of words and not combinations of single characters. They might even have tested plain sentences. Still very impressive. After all, the leak dates back to 2012. I wonder how much time did the first one take for example.

I think strings that maps to the same hash are just inintelligible garbage. If you find something that looks like human then it's certainly the original password.

[kijin]

The first one is the title of a song [1]. The attackers probably have a lot of common phrases, song titles, and other catchy excerpts in their dictionary.

[1] https://www.youtube.com/watch?v=I915tOiR9sM

If it weren't a song title, it would probably have been impossible to crack. That sentence has 12 words. People say that most English conversations only use 3000 words. 3000^12 is 2^138. It has quite a bit more entropy than what we can crack nowadays. Besides, "stripper" isn't part of the 3000-word dictionary.

[nzp]

Those 3000 words are not random in natural language. If they were your calculation would be correct, but they aren't so the actual entropy of the system is likely nowhere near 138 bits. In other words, song title or not, if the sentence was an actual sentence the entropy is much lower. To get maximum entropy out of sets of words you have to use something equivalent to Diceware.