[userbinator]

Not quite as frightening as the schemes some financial institutions use... one that immediately comes to mind is 6 digits, no more or less, and probably stored in plaintext. Then again, bruteforcing attempts are usually very easily noticed and kept from succeeding on such systems.

[amjo324]

Sure. But it would be a stretch to find any financial institution with as many as 360 million customer records. Maybe one of the state-owned commercial banks in China being the exception.

And more to the point, the corresponding email addresses and/or usernames in the MySpace breach are leaked along with the password hashes. The same email address and password combinations will be tried on other web sites (e.g. Amazon, Facebook) with a reasonable chance of success. No brute force necessary.