With rapid advances in computing technology, as well as recent and projected advances in quantum computing, providing an estimate as to how long it will take to crack a password can be misleading and is what is often called “security theatre”.
If someone enters a password, and Bitwarden claims their password will take an estimated 10 years to crack, what will their satisfaction be when Bitwarden has to update the model in a short while and changes that estimate to 6 months?
Such calculations also ignore one the most critical factors when making such estimates: the perceived threat source. If a child is worried about someone finding their iPhone and guessing their password, that’s a very different threat assessment than the CEO of an energy infrastructure company concerned about industrial espionage or state actors. The resources available to those that may want to compromise the password in those cases are vastly different.