Errata Security have an interesting post on the hacking of a general's mistress. In it, Robert David Graham looks at how long it would take someone to discover Paula Broadwell's Yahoo! email password based on the hashed copy leaked in an email hack last year. He states:
it'll take 17 hours to crack her password using a GPU accelerator trying 3.5-billion password attempts per second, trying all combinations of upper/lower case and digits.
(My emphasis)
I read that and thought: clearly he's making an assumption here about the (maximum) length of the password. I wonder what the assumption was?