Yes, but this is for the Arduino. How often is Arduino used to hack passwords? Anyway, set it up against Hotmail for example, and it will take waaay more than 212 seconds.
No one would do that. No one would use an Arduino to crack a password at all. It is so handicapped at this kind of process compared to a computer that it is ridiculous to even contemplate. Now, I wouldn't fault someone (like you, for instance) for trying based on curiosity or whatever, but for genuine attempts at hacking
... well.. let's just say if someone were trying to hack my
accounts with an Arduino, I would be tempted to make my password shorter to give them a fair shot. They're obviously of no real threat.
Also, I'm not going to pretend I have statistics to back myself up, but I don't think the majority of brute-force account break-ins happen through web interfaces to services like Hotmail, Gmail, etc.. Just the round-trip time alone would delay things to the point of absurdity. Since most providers give you a couple shots at trying to remember a password before they start throwing up road blocks like time-delays or captchas, it's just not a very desirable point of entry.
Like others have said already, typically when account credentials are stolen, it's either because....
1) Someone had previous knowledge of you or your account that gave them a substantial advantage. Like how Sarah Palin's account got hacked because her security question was "What high school did you attend?" There aren't that many high schools in Wasilla, AK -- where she's lived her entire life. BTW, this is why the whole concept of "security questions" is deeply flawed.
2) Someone had access to back-end information -- encrypted passwords, or other raw account info. With a list of encrypted passwords, you no longer have to knock down the front door. If the passwords aren't salted (randomized), then a given algorithm -- like MD5 -- will always produce the same hash with the same input. This makes it easy to compare with pre-encrypted lists of common passwords. Low-hanging fruit. If the passwords are salted, then you're back to brute-force attempts.
3) Someone had access to existing account info from somewhere else. If I know your work computer's password is "Fluffy1", I might try that as your password to everything else. Chances are, you've used that elsewhere. Once I have access to your email, I can reset passwords for all your other services that use said email account as the lost-password recovery mechanism.
So, brute-force (especially through a web site) is almost never the best option. When it's the only option, there are a few tricks to optimize things. Like, for one, I can get into a surprising number of accounts just by trying a "common passwords list". It's just scary how often those passwords work. Then, I can try just letters and numbers, and because it's so typical for someone to throw an exclamation point or two at the end, I'll add that too. Limited character sets shorten the time to crack significantly, although still that's 26 * 2 + 10 + 1 (letters, lowercase and uppercase, then 0-9, and !), which will take a while to try in every possible combination. If I want to consider other symbols -- like underscore, space, dash, the at sign, pound, percent, so on... it takes a bit longer. I might limit initial runs to 8-characters, and if that doesn't work, I would use the entire common English character set with inputs 9 characters and longer.
By then, I have to be really determined to get that one password. Using that approach for an entire list would take way too much time without significant computing resources at my disposal. Certainly not a pile of Arduinos.