How much time it would take depends on the objective and password strength. If the attacker is looking for any random user with a weak password so that he can exploit that user on other sites, then it probably won't take much time. Let's say he has a list of 5 thousand most common passwords, 1 million users in your DB, and 1 ms to compute a hash, then it would take about 2 months to identify the users with weak passwords. (Though, password strengthening can increase that compute time by 100x or 1000x.) On the other hand, if the objective were to attack your site specifically by brute-forcing the admin password (hopefully a strong password of at least 8 mixed case, numbers and symbols) then it would take a couple hundred thousand years.