Comment Re:ObXKCD: Passphrases (Score 1) 288
If this kind of system were to include actual failed password attempts on the system. It would be fair to take the 3rd standard deviation above the mean, but on a system that never gets its passwords tested, it is unreasonable to assume that all passwords are under a maximal attack all the time.
Also, what's wrong with "pacing" password attempts - exponential increase of time delay between failed attempts up to maybe 30 minutes. It will take a very long time to guess test1234%^ at 30 minutes per guess.