Well in all fairness those are probably pretty good passwords. I would guess they are both extremely uncommon passwords. Furthermore any brute forcing algorithm is probably going to leave trying all 28 character passwords for the end since most people do not have passwords that long.