passwords can be brute-forced in moments
That bit's actually fairly accurate, given that most people still use some variant of "password" as their password (passw01d, wordpass, password123, etc etc), and given that certain clueless entities (*coughtalktalkcough*) store passwords with cryptographically weak hashing and no salt, or even as plain text.