The question I get most often is, "How many attack guesses per minute is realistic?" That depends on a whole host of factors, including bandwidth from source to destination, source and destination resource utilization, the application being attacked, lockout rules, the type of system being attacked, other defenses, and the number of attack threads generated.
There are many attack tools (including Brutus and THC's Hydra) that allow multiple threads to be started simultaneously. Add to it that the attacker can attack from multiple origination points at once, and the number of attack threads can increase quickly. When I conduct a penetration test, I can routinely generate several hundred password-guessing threads a minute, but more than that, most systems start to bog down, and many crash completely. You'll have to conduct your own real-life password guessing tests using an automated tool to determine the valid ranges you should input enter the spreadsheet.
You can use the password guessing spreadsheet to simulate all sorts of attack scenarios, but the one I often demonstrate assumes the following inputs: eight-character password, complexity enabled, 94-symbol character set, with 90 days between password changes. On average, the attacker could break passwords under that policy with only 65 guesses per minute -- not at all hard to accomplish.
I accept no responsibility for the errors in my spreadsheet. It likely contains significant errors and should not be relied upon. Do your own password audit testing to make decisions. And this exercise absolutely ignores all other factors that make up true password strength (system controls, other defenses, physical security, end-user's brain) and all other sorts of password attacks, such as keystroke logging, side-channel attacks, social engineering, phishing, sniffing, and dumpster diving.
That said, it's an interesting spreadsheet to play with. I plan to update it as better information, corrections, and improved entropy models become available.
This column would not be complete without mentioning the password policy I strongly recommend. Regular user passwords should be a minimum of 10 to 12 characters long (preferably 12 or more); privileged accounts should have passwords of at least 15 characters, and they should be changed every 90 to 120 days. Disable weak hashes to prevent password hash cracking. I'm not a big fan of complexity -- it doesn't provide as much protection as people think -- but you'll usually have to include it to satisfy auditing requirements.