[bigiain]

If they knew what they had there (and the balance of the wallet was in the blockchain, they probably knew exactly who they were targeting here), you could throw an awful lot of resources at bruteforcing the password. (Lets face it, they had this guy's bank accounts and PayPal - I wonder how much of his own money they spent on AWS cracking his wallet password?)

[jschwartzi]

Talk about adding insult to injury. Imagine someone using your credit cards to buy compute time to brute-force your passwords.

[TwoBit]

You can't brute force a 30 character password that has randomness. Not with all the computers on the planet together.

[bigiain]

Sure, depending on what you actually mean by "has randomness".

"correct horse battery staple"

is 29 characters, but it's _much_ more likely to fall to hashcat than

"OckivpykophshifcuvTocJorj%opAd"

I've only got 4 truly random passwords stored solely in my head, and they're all down at 12 chars because I need to write them down much above that instead of being reliably able to remember them (and yeah, I've got stuff I no longer have access to because I've forgotten the password...). There's a serious tradeoff to be made with a password for "millions of dollars worth of bitcoin" - where do you balance the "it's super secure" against the "Shit! I forgot the password!" (And if your first answer is "that's what password safes are for", then you've just moved the problem to the password safe's password...)

(With a reasonable dictionary, "correct horse battery staple" will probably pop out from hashcat in under a second on a Raspberry Pi! ;-) )