Bruteforcing a live system is pointless and/or impossible as you have implied.
The problem of weak passwords is really two-fold:
- When a website is hacked (as many are) and its password database stolen (as many are), the weak passwords are the first to be cracked
Not exactly true, depending on how the password is stored, the strength of the password is largely irrelevant. There are still many websites out there whom don't place any protection on it's password tables full stop. Strong / weak / known / hard to guess, no hashing and the password will be cracked in 2 seconds flat.
Sometimes people will run a hashing algorithm across passwords tables, use a weak algorithm such as MD5, and rainbow tables will take care of most of your hacking needs there. -> check out the following article on cracking MD5 passwords ->
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331†| Ars Technica
A strong algorithm such as SHA2-512, combined with a salt is pretty much the only way to store a password on the back end, and even then you need to make sure that the connection from the client all the way through to the database is encrypted, since if you are only doing the hashing on the database server and the connection between the website and the database is not encrypted, then again it's all for naught.
- People who use a weak password on one system are likely to use the same weak password on another system
So feel free to use "123456" on blah.com safe in the knowledge that blah.com has a lock out system, but when blah.com's database is stolen and the weak passwords decrypted, you'd better hope that you didn't use the same password on foo.com or bar.com as well
People whom use strong passwords are likely to reuse them on other systems as well. The strength of the password means little as to it's likelihood of been cracked. Probably the one password you want to keep secure (and different) over all else is your email password, since if your email account gets compromised it's very easy to then get other systems to send "reset password" requests.
The best solution is to use a password manager program that a) generates long, random passwords for every website you use and b) remembers those passwords so you don't have to. Then all you have to do is remember the (hopefully secure) password that gets you into the password manager.
And hope that the password manager is never hacked eg LastPass a couple of months ago.
Doing authentication correctly is actually a very complex topic, there are numerous ways to get into a system. A system designer needs to make sure they are all sealed, a cracker only needs to find one method which gets them in. There have been many attempts to make things secure via methods other than username and password combinations. From centrally managed tokens (eg Microsoft's Passbook) to bio-metric (eg fingerprint scanners, eye scanners) to duel factor (eg password and a physical device). All these methods have the advantages and disadvantages.
Of course never forget, no matter what authentication method you do, how much the systems can be improved, it will always be a human being which needs to use it, and that's the one part of the system that can never be upgraded.
