Dude, the first step to good security is to assume you've been compromised and then construct your defenses based on that assumption.
Not so much. The first step is figuring out what you're protecting.
The next step is figuring out what the fallout is if you're compromised.
The 3rd step is figuring out the likelihood of being compromised, and potential avenues of attack.
Only at that point do you construct your defenses.
Contingency plans are based on assuming the worst has happened. Security plans are not. And a good security plan prevents having to implement a contingency plan, with a high degree of success.
TFA was stating that one should force password changes based on average time to crack. I'm saying this is an artificial burden on the users if they don't figure in probability of getting cracked (or rather, the time to figure out someone stole the file), and force changes 2 stddev earlier, not just the "average" time to crack minus the window of how often one logs in.
To demonstrate TFA was just spouting and not doing themselves or users any favors, if they knew they had been compromised yesterday and lost the hashed file, do you think they'd say "Ok, you guys with the shorter passwords need to change them a day sooner"? No, they'd force a global password change, even on those people with passwords that'd average a year to crack. So this is inconsistent with what the article is even saying, and is basically passing the annoyance on to the users based on fuzzy math.
I think TFA's oversight is intentional, however, although not really presented as that. The idea is to punish those with short passwords, and reward those that are more secure from brute force attacks. This has less to do with security as it has to do with artificially coaxing better passwords.