"[...] uses six words from a dictionary of 2048 [...]"
Presumably the set of 20148 words are chosen by each implementation - rather than being prescribed by the RFC?
Without access to the details of that "unique" set then cracking it has to assume a much larger dictionary of possibilities. However - a subscriber could repeatedly request new passwords and thus map the permissible set to some extent.