Would the expected attack vector in that case be to use the known work size and then go through each user and their unique salt first using dictionary word, then working out from the minimum password size exhausting successively 4 character passwords, then 5, 6, etc?
Yeah that would be the common attack vector.
Generally speaking there are three ways to guess a password.
a) recompiled lists (often 5-8 million based on prior large scale breaches - people love re-using passwords even after breaches)
b) base word dictionary (also contains slang, names, famous people, brands, etc) with substitution
c) pure brute force.
The order of using the masks and lookup tables is kinda an art-form. Some choices are obvious, some choices are more subjective.
There are only 857K 1-3 char passwords so try them first.
Next try your "common password list".
A 4 char brute force usually makes the most sense (81 million).
Around 5 or 6 char brute force starts to not make much sense. That assumes you are going against something solid like bcrypt.
So uaully after 4 or 5 char brute force trying substitution/prefix/suffix makes more sense.
Start w/ 1 substitution against the dictionary and then increase the number of substitutions. Beyond 2 or 3 you really aren't gaining anything over brute force. Eventually the "largeness" of the attack space makes continuing futile.
So a sensible takeaway in this situation is that even if a password was used as the sole means of verifying an account, it would be very difficult for the attacker to use the stolen database to actually compromise any accounts for anyone who's password is even remotely secure within the week long timeframe we're talking about. Even going through a 8M entry recompiled list at 36,000 passwords a second would take 3.7 minutes per password, or 2.57 days per 1000 passwords. There might be someone who's password is "password" with 1000BTC sitting in their account, but really anyone stupid enough to do that probably wouldn't have 1000BTC to begin with.
