[gmazzola]

If the password hashing scheme is secure (bcrypt, as tptacek repeatedly recommends) dictionary attacks become non-trivial and slow. It's still possible to brute force the database, of course, but the time required makes the attack less profitable.

I would thus argue that a secure hashing schema is significantly better. This is assuming the programmer uses bcrypt in the first place, which is a questionable assumption: even popular projects like phpBB use MD5 for password hashing. (The fools.)

If MD5 is used then I would wholeheartedly agree with you: I've used http://milw0rm.com 's MD5 hash breaking service plenty of times to know why I shouldn't use that algorithm in my own code. (One of my old passwords is in the database, but I'm not telling you which one.)