> His encryption password was supposedly greater than 20 characters and included a mixture of cases, numbers, and punctuation [...]
It doesn't really matter what kinds of characters your passphrase of 20 characters contains. What matters is how much entropy it contains, ie. whether it was generated randomly.
A random 20-character password containing just lower case English letters would still take more time to break than the age of the universe assuming one billion guesses per second.
For a brute force attacker, how does a high entropy 20 character password vs a low entry 20 character password change discovery time? Even throwing in a random character in the middle would probably defeat any shortcuts, no?
I think where this reasoning gets people in trouble is when their 20 char password was leaked by LinkedIn or some such and they've since mutated it by inserting the random character and think it's now secure.
If the attacker uses a wordlist with the old password and a ruleslist with "throw in a random character", they're going to try the correct password long before they try a random 21 character string.
There are 20 places to put the random character, and there are roughly 100 possible values, for a total of 2000 possibilities. Thus, assuming someone has knowledge of you using this trick, it corresponds to adding 11 bits of entropy. There are other similar tricks you could have been using instead, so there may be a few additional bits of security if they know you use some trick but not which one.
It doesn't really matter what kinds of characters your passphrase of 20 characters contains. What matters is how much entropy it contains, ie. whether it was generated randomly.
A random 20-character password containing just lower case English letters would still take more time to break than the age of the universe assuming one billion guesses per second.