[forgotpwtomain]

> If your account is locked out after 3 failed login attempts, if they limit to one attempt per second,

The point of effective passwords isn't that someone is going to guess it on login - it's that if the database gets dumped all the passwords aren't recoverable from the hashes.

[GICodeWarrior]

The security of passwords at rest depends on how they are stored. Further, if an SSA database is dumped, passwords won't be the data exposure people are upset about.

[forgotpwtomain]

> The security of passwords at rest depends on how they are stored.

Insecure passwords are insecure at rest no matter how they are stored..