Nothing suprising about it.
> and interestingly, when he had to resort to brute force, in all cases the passwords were six characters or fewer.
Thats because he will have completely exhausted the 1 to 6 character search space but might still be searching the 7+ address space.
It all depends upon how efficient his brute force attack is. If it is pathetically slow and only manages 100,000 attempts per second it will take him about 3 months to exhaustively search* the 6 character password space and nearly 25 years to do the same with the 7 character address space.
* This assumes each character is one of the 96 printable ASCII characters. If he uses the reduced character set in the article then it would take 10 days to exhaustively search the 6 character address space and over 20 months to search the 7 character one.