Take for example an attempted remote brute-force on my machine. There's a delay of 30 seconds between login attempts [with a lock-out after three tries but that's beyond the point]. Take that number and multiply it with say 2,000,000,000 attempts to connect... unlikely for anybody to get in anytime soon.

I did try brute-forcing my password locally, and after 24 hours neither root nor user were broken... I don't consider having very long passwords but they are more than just alpha-numeric, so John was still quite a way from breakin'em.

As for the 'housework' [data across the network, encrypting pass, checking hash to passwd file] that definitely plays a part in how long it will take to brute-force the account. Unless the NSA is after you for high-level treason, a good password will keep 'h4X0rZ' out for longer than out Sun has to burn.