I think they forgot tho that recently millions of passwords got cracked by brute force on that dating site due to their developers removing the powerful bcrypt hashing algorithm which slows down password attempts.
Another way to look at it is, these passwords weren't cracked using brute force, rather they were cracked because brute force wasn't necessary, owing to them simply being hashed rather than properly encrypted.
In my opinion, the real point is that unless you are a specially attractive target, ie a head of state or whatever, the chances of anybody taking the trouble to brute-force an
encrypted password are small. Hence there is no real benefit in choosing complex passwords just because they might resist brute force. And long complex passwords would also be easily hacked in the example given, where merely hashed.
Another gripe of mine, are the browsers and mail Apps that 'remember' passwords, and then create an illusion that they are stored securely, by 'starring' out the characters. These passwords are very often easily discoverable, no brute force at all, should anyone manage to steal your HD. The reason they must be discoverable is that the browser itself must be able to retrieve the original text, so that it can be submitted over the (encrypted) login dialogue.
Mozilla Thunderbird (maybe other products too) will actually display stored passwords, in plain text, in the settings menus. They are correct to do so since obscuring them, or hiding them, would simply confer a false sense of security.
