...how many systems let you try new passwords ad-infinitum, rapidly? I know back when I was in college I could brute force Windows shared folders (script kiddie style), but nowadays I'd expect any semi-serious authentication system to limit the number and frequency of login attempts.
I am not an IT professional engaging in rhetoric; I'm actually curious.
No online system is fast enough to brute force an account even if they did allow you to try new passwords ad-infinitum - each attempt would take a second or two and that's just too slow for effective "cracking" I would think.
I believe that the concern is for when there has been a data breach of some sort, and the "bad guys" have gotten the username/password file. The data in this file has been run through some sort of a one way function and thus you cannot just read the usernames and passwords out of it, but since the attacker knows what the one-way function is, they can test to see if any username or password that they want to know about is in the file, and they can do this with all the computing power at their disposal. "Rainbow" tables are pre-calculated results of this one-way function for common usernames and passwords.
The data in the file can be "salted" adding an extra bit of information to the password before running it through the one-way function - even if the "salt" is known by the attacker, this prevents rainbow tables from being useful. There are probably also ways of combining unique salt values, usernames, and passwords so that even "insecure" passwords are difficult to recover from the file, but of course the longest passwords drawn from the largest possible set of characters will always be hardest to "crack".