[__ryan__]

This isn’t the attack vector to be concerned about. More concerning is when there’s a data breach and an attacker gains access to hashed passwords. At that point, you attack the hash not the API.

This comment is an example of why I wouldn’t want any given website to choose my password.

[upofadown]

That assumes the situation where the password hashes are stored in a way that is less secure than the actual data that the attacker ultimately wants access to. That must not be a very common situation.

The passwords will not be of any use on any other system. This would eliminate password reuse.

[__ryan__]

Accessing a users data is not the only reason for hacking their account. Performing actions on behalf of a user is just as much of a threat.

Edit: also, if an attacker dumps all the data today then loses access to the data tomorrow, having access to my password hashes means they can access my account and data later.