Brute forcing a SecurePrint key is pretty expensive.
The key is elongated through a scrypt precursor (ROMix): high RAM cost so it's expensive to parallelize a brute force attack. Just decrypting the encrypted root key with a candidate passphrase isn't enough to verify it, you still need at least 2 ECDSA public key exponentiation to get the first public key with potential balance.
Let's ignore the other operations, let's just look at the KDF. The key derivation function defaults to 16MB RAM. Assuming a recent high end computer can compute 2000 candidates per second, with 10000 machines attacking your SecurePrint passphrase simultaneously, you are looking at 2^24 attempt/s on a 7 bytes passphrase so you are left with 2^32 seconds worth of work to crack the passphrase, or about 130 years (unless I messed up somewhere).
Obviously this isn't as strong as the 128bits of actual security a 256bits EC offers, but I find it acceptable considering the economics of such attack.
If you are unsatisfied with this level of security, you can always use fragmented backups. In this case you can choose to mix and match unencrypted, SecurePrint encrypted and digital fragments to implement a stricter security model. An attacker would need a quorum of fragments to even attempt anything.
Okay, I see. But is there any way that you guys (Armory developers) could one day make it like 20 (or even 40) characters instead of just 11? This would boost my confidence.
You see, as I explained, I have to assume that my SecurePrint wallet (without password) is publicly available. Someone could have started work on brute-forcing it already and may plan on doing so for the next decade or two. Especially if he knows I'm a millionaire (could be the case if a coworker compromised the printer at work). Another case is where a few bank employees know I'm a billionaire and break into my safe deposit box (which is exactly why I ain't putting the SecurePrint password in that same location).
Because of this, I'm not going to feel very confident putting a lot of money into my SecurePrint wallet. And I don't really want to be recreating my wallets every 2 years. I want to use the same wallet for the next 20 years. That's why I ask for that extra entropy.
What do you think? Maybe I'm missing something.