Knowing the common password attack vectors will give you an idea of how you might go about calculating this. When we need a number, let’s assume that a desktop computer can check 4 billion (4×10⁹) passwords per second, which seems about right.

It’s important to realize that an attacker is rarely attempting to crack just your password. Instead, they will have user ids for a large number of accounts, and they want to try to crack as many of them as possible. As such, it pays for them to invest most of the time in cracking the easy passwords, and not bothering with difficult passwords.

0. Really obvious attacks

Try entering the user id for the password. It’s surprising how many people do this. Your password is crackable instantaneously.

1. Dictionary attacks

This is simple. The attacker just needs to keep a list of (say) the 10⁶ most common passwords in use, and check each of them once. This can be done in well under a second. If your password is in the list of most common passwords, then it can probably be cracked nearly instantaneously.

2. Brute force

If your password isn’t in a dictionary, then one other option is to use brute force. The time taken to crack a password using this method depends on (a) the length of the password, and (b) the symbol set that comprises the password. The general formula is

timeTaken = (sizeOfSymbolSet ^ passwordLength) / (4*10^9)  # (seconds)

For example, if your password consists only of lowercase letters, then the size of the symbol set is 26. Here’s a list of how long it might take to crack your password as a function of its length:

Length Time
     4   0.1 millisecs
     6   0.1 seconds
     8   1 minute
    10   10 hours
    12   9 months

If you use all lowercase and uppercase letters, numbers and symbols then the symbol set is closer to 100. It takes correspondingly longer to crack your password:

Length Time
     4   25 millisecs
     6   4 minutes
     8   28 days
    10   800 years
    12   8 million years

Don’t get too complacent yet, though! The 8 million year figure assumes that you have a random selection of 12 letters, numbers and symbols as your password, i.e. your password is something like

t8Qkx#rxZAM@
%Kuc;p8WHmFU
xDE!XE$rLGh4
KJdx2K8BS33K
HTaeCc&t46L;

How many people have a password like that?

3. Combined methods

This relies on a combination of ingenuity and brute force. It’s a mix between the first two methods, and relies on common “password conventions” rather than common passwords.

For example, many people have a password of the form “a dictionary word followed by a number”. There are about 2×10⁵ words in the Oxford English Dictionary, so to generate all combinations “dictionary word followed by number” is about 2 million different passwords, which can again be easily checked in under a second.

Other common tropes include replacing characters by similar-looking symbols- o with 0, l with 1, a with @ etc. Once you have a list of dictionary words, it is trivial to generate all of these replacements. At a guess, you might increase the length of the list by a factor of 1000, which is still checkable in around a second.

My guess is that the site uses a combination of some or all of these approached to work out how long it would take to crack your password.